After playing an exciting game of telephone tag, Jim Freeze of Crossbeam Systems and I finally had a chance to chat about his company, their product portfolio and the philosophy behind their products. We also chatted about the fact that I lived quite close to Crossbeam's offices when DEC moved me from Kansas City to Massachusetts in the middle 1980s.
We both agree that today's n-tier, distributed application architectures often present challenging security risks because the developers were concerned about application functions, performance and not security. Each exposed interface used during the development of the workload also was an attack surface. Executives of many organizations simply didn't think about security until 1) one of their friends experiences a security breach, 2) new regulations appear requiring better security or 3) they have their own exciting adventure in poor security practices.
Jim pointed out that Crossbeam's products were designed to help. We both agree that security, like management, needs to be baked in during the development of a system rather than added on later.
Why, do you suppose, is it that many organizations don't spend much time thinking about security?