DROP, DRIP, SDL and OBTK
OK, nice title, four acronyms and one word :)
This post is about security, but even if you *hate* security, please keep reading. I'll try to keep this post short and to the point!
I was reading through the latest SC Magazine, I ran across this article talking about the aforementioned acronyms DROP and DRIP:
Definitions
DROP == Distributed Responsiblity Of Protection
DRIP == Designing Responsibility In Protection
SDL == Security Development Lifecycle
OBTK == One Butt To Kick (OK that is not a real acronym, but it really means being accountable)
DROP's main premise is to have lots of people with their eyes on security (Mr. Lawhorn likens it to a neighborhood watch program).
DRIP's main premise is to build security in from the ground up, starting with the design
SDL == DRIP
OBTK != DROP -- Through experience (gosh do I sound old now) not having one person or group accountable for anything is a slippery path to trouble. If more than one person is 'responsible' (using that term loosely) human nature tends to assume/trust that other people have done their job and that you can give something a cursory glance over and approve it.
I find myself in the DRIP camp. (yes, i'm a drip, all jokes aside :) )
jk