The Adoption of “Slow Ideas”
Surgeon Atul Gawande recently wrote about the phenomena of “slow ideas” in The New Yorker. In the article, Gawande explores why some great ideas move quickly and are adopted rapidly, while others lag and take years before they are generally accepted. Gawande starts off with two excellent examples from medicine in the 1800s: anesthesia and antisepsis.
Anesthesia was first introduced by a doctor at Mass General Hospital in October 1846, a paper on anesthesia was published by another doctor “four weeks later, on November 18th. . . in the Boston Medical and Surgical Journal.” And by the middle of December that year anesthesia was being used around the US and in Paris and London before spreading throughout the rest of Europe and the World.
Nowadays with the instantaneous global reach of the Internet we’re used to memes like Gangnam Style and Manti T’eo’s catfish girlfriend spreading worldwide in hours. But back in the 1800s to have an idea, especially one as risky as knocking patients out with ether, spread internationally in mere weeks is impressive. One could argue that great ideas are just so good that they’re bound to spread like wildfire.
But Gawande’s second example, antisepsis, shows this isn’t always the case. Antisepsis is the prevention of bacterial infection through the use of antiseptics. Back in the day surgeons wore coats stiffened with the blood of patients like a badge of honor. And they performed surgery wearing coats caked with previous patients’ blood while working on the next ones. If, like me, you were somewhat traumatized and revolted the first time you saw Eakins’ painting The Gross Clinic, you know how far we’ve come.
Today we’re used to sterile operation rooms and crisp white, freshly laundered lab coats. But the less than antiseptic conditions of the Gross Clinic was the standard for its time. In the 1860s, surgeon Joseph Lister became convinced that microorganisms were the underlying cause for patient wound sepsis and began to evangelize use of carbolic acid to cleanse hands, surgical instruments and wounds. But two decades later, hand washing was still perfunctory even at Massachusetts General Hospital.
The Key to Moving AppSec Forward
Both anesthesia and antisepsis have clear benefits, but one is easier to adopt and provides more immediate benefits than the other. So while anesthesia was almost immediately accepted and adopted, antisepsis floundered and took a much slower path. Antisepsis required upfront work from the surgeon: extra time to clean the instruments, painful washing of their hands with burning carbolic acid. But it was adopted eventually. As more and more surgeons experimented with antiseptic operating environments, and reaped the benefit of having fewer patients become infected post-surgery, the word spread.
Application security testing is a “slow idea” like antisepsis. The benefits are clear and measurable, but are not always immediately apparent. Deploying a vulnerable application may never have a repercussion if the vulnerability remains undiscovered or unexploited. But the work to build security into the software development lifecycle and perform testing is very apparent. Moreover, application security testing can seem like a deployment gate because it requires developers and security teams to not only test the software but also to take time to remediate or mitigate vulnerabilities before deployment.
In the long run, having more robust applications is as important as having patients leave the surgery room without infection. But the resource investment upfront isn’t always matched by recognizably “better” products. Features and functions have a high visual yield, but vulnerabilities are invisible until they’re discovered. And there’s no guarantee they ever will be discovered or exploited.
The key to driving adoption of ideas and procedures that don’t have an immediate, tangible benefit is experience and information sharing. Like the 1800s surgeons who practiced antisepsis and over time could prove a much lower infection rate in patients, today’s application development and security teams need to share their experiences with application security testing and the long-term benefits of building security in that they’ve experienced as a result.
EU: Speeding the AppSec Word
A number of people and groups in the EU are doing just that. They’re gathering, researching and sharing their experiences with application security and gaining adoption momentum.
In August, the First European workshop on Web Application Security Research (WASR’13) will be co-located with the OWASP AppSec Research 2013 conference in Hamburg, Germany. The International Standards Organization (ISO) has developed an overview for application security that has been adopted by many large organizations including Microsoft.
And ENISA (European Network and Information Security Agency), which is leading the response to these cyber security issues of the European Union, has developed a set of Secure Software Engineering Initiatives and is addressing the lack of secure application development guidelines in collaboration with OWASP.
Here at IBM, we’re working on expanding our interactions with EU companies to help them learn from our experience with application testing and security in development using a secure engineering framework. In the coming months, the AppScan team has committed to being more active in the EU so we can help transform application security testing from “slow idea” to accepted standard operating procedure.
Thanks to the great work being done and the conversations being had in the EU, application security is at an adoption tipping point in the region. Perhaps, someday there will be an IT equivalent of The Gross Clinic. We’ll look back at a time when we didn’t build security in and rigorously tested applications for vulnerabilities and infection points before deployment and wonder how we could ever have thought that made sense.