Study the following (badly drawn) image and see if there is anything obvious popping in to your head.Now, you’ve probably got hundreds of questions going through your mind about testing etc etc. But I want to draw your attention to the security and the value that this security is protecting. Let me backfill the story. I went to a major electrical goods chain here in the UK. I wanted to buy a hard drive. I saw the one I wanted, behind the glass in the locked and secure glass cabinet. I asked the assistant if I could have one and it took her about 2 or 3 minutes to find the keys. It then took her about 2 minutes to open the cabinet, get the disk out and then lock it all back up again. So around 5 – 7 mins, give or take 10% to get a hard drive and pay for it. But it’s not the customer service I’m concerned about. Whilst the lady was extracting the hard drive I did some pondering. I roughly added up the value of the hard drives in the cabinet and the total came to about £1000. Well worth securing. I then scanned just the two metre shelf next to the cabinet and it had about £3000 of Routers and Switches. The glass cabinet had items that ranged between £30 and £89.49. Yet the shelf had items that ranged between £30 and £109.10. It didn’t really make sense to me. If I were the store manager, I would be looking to secure the most expensive and valuable stock. Wouldn’t you? So I asked the lady why this was the case. She said “Because it’s always been done that way. I guess I’d never thought to question it”. I asked whether hard drives were the most stolen of items, fishing to see whether high targetted products were being secured over high value products. The lady didn’t know. I tried to find some stats but failed. I suspect it’s not got much to do with it. The lady said that many displays, concepts and ideas came from head office and remained that way even if they were ineffective. It’s because it’s always been done like that..I guess. And so I draw the comparison to testing, product design, feature sets and anything else we may ever get involved with in our daily work. Why keep doing something when it is ineffective? Why spend months writing test documentation that no-one reads? Why spend months writing test cases in minute detail to have to re-write them when you see the final product? Why always concentrate your security testing on the software when in reality the user is the biggest security gap? Why keep reporting that metric when no-one needs it? Why not challenge the norm? The ineffective? The old rules and processes?
Why not suggest new and interesting ways of doing things? Why not improve or tweak processes for changing circumstances? “Because it’s always been done that way”. Do you have compelling reasons to leave something ineffective in place? Please let me know.