Traditional Risk Analysis are anachronistic. In fact, despite the aim of deepness and accuracy, these are late, not money-able and un-structural; it results in 3 not addressed dimension of analysis:
- No Time: whenever the analysis is over, the IT Infrastructure, it is about, has just changed. Usual App have to upgrade 1 time a month; some MobileApps just 1 week or some days
- No Money: the evaluation is against a theorical degree (low-medium-high or 1-10) not related to effective business and real loss of money
- No Architecture: the identified countermeasures are described and referred as designed specifically for the IT application under evaluation, not referring to a systematical approach (both technical or procedural) used by the company
Just a different approach is required. In the following, the porting of Agile Risk from Project Management to Security Management, sharing the DevOps paradigm.
Time passed, the old IT world, the traditional RA was developed, for is not more in use, there are 3 main changes:
- Craft vs Factory: the IT is not more craftwork. Whenever the IT solution is addressing specific issues, it is made up by of pre-built components (often shared among apps). Security should be applied (by the use of proper countermeasures) to those, firstly; then to 'ad hoc' configurations/customizations
- Attack Sense: no-one make something for nothing (time is money). Also Cyber Attacks are forced to this rule. It is the time of Cyber Crime, used as instrument for making money (not more occasional crackers). Security should start identifying the Intended Goals
- DevOps: there is no more clear separation between building and mantaining of IT infrastructures. Development and Operations are deeply intertvined: a failure in the former affects the latter and vice versa. A proper vulns taxonomy is needed, helping in addressing effective countermeasures mapped to Dev, Ops or both. Security should introduce an approach like this