Tuesday, May 21, 2013

Security Matters – And It’s Not Going To Get Any Better …

If you have any type of a system interface that is exposed to the internet, then you have a potential problem.  In case you haven’t heard, there’s a war going on and you had better be making sure that your defenses are in place and being kept up to date.

What used to be the realm of script kiddies playing with ways to hack in to a system for fun has grown in to a full blown international business with hackers stealing real money, downloading corporate data, or turning your systems in to a swarm of botnets that can be used to hack in to other systems across the world.  The landscape isn’t getting any prettier with governments now openly accusing each other of state sponsored hacking.

Today, one of the most sought after positions is the role of a security architect/analyst.  These are the white hat hackers that work to keep a company’s systems and applications safe.  In today’s world, I wouldn’t ever make the claim that they can fully protect you, but, if they’re doing their jobs, they’ll dramatically lower the chances of your systems being successfully attacked.

And, these days, you have to be just as concerned about internal hacks as you do about the potential for someone outside the company to perform the hack.  If you are hacked, the chances are far better that you’ll be hacked by some outside party, but that doesn’t remove the threat of a disgruntled employee leaving a back door open so that they can clean you out down the road.  According to the 2012 Verizon Data Breach Investigations Report, they found the following:
  • 98% of the data breaches were initiated from external agents
  • 4% involved internal employees
  • 58% of all data theft instances were initiated by activist groups
See the following link to read the entire report: 2012 Verizon Data Breach Investigations Report

The report is sobering to say the least.  The most damning piece of data from the report: 79% of all attacks were targets of opportunity.  Meaning that the company impacted left the doors open by not taking proper precautions and securing their systems and applications.

I’m not going to use this space to regurgitate the findings from Verizon’s report.  What I do want to do is spend a few minutes discussing the relevant point in time to talk about security.

That would be NOW!

Ok, let’s break it down from the beginning.  Within whatever methodology you are using to run your projects and manage your SDLC – you need to incorporate security up front in the process.  Within each project you need to be aware of the security risks and take appropriate action.
  1. What are the risks associated with the project – hardware, software, interfaces, data, etc?
  2. What is the likelihood of each risk occurring?
  3. What is the mitigation plan to remediate the risk?

These questions need to be asked up front and security needs to be built in to the requirements/stories that the team will use to build and test the solution.  That’s right, you not only need to build the requirements upfront, you need to test them just like any other requirement.  Moreover, there are industry best practices to follow at both the physical infrastructure/data center level and the application level:

Data Center Best Practices
  1. SAS70 Data Center Security
  2. Best Practices for Data Center Security
  3. 19 Ways to Build Physical Security into a Data Center
Application Security Best Practices
  1. OWASP Web Application Security
  2. Microsoft Security Development Lifecycle
  3. ISC2 Ten Best Practices for Secure Software Development
It doesn’t matter how large or small of an organization you work for, if you are not building security in upfront, you are asking to be hacked.  And, yes, that may mean breaking the current processes you use to manage and build your infrastructure, as well as your software development lifecycle.

Several years ago, Microsoft was the recognized pariah in the security world.  There systems were like Swiss cheese and attacks on the MS-Windows operating system and MS-Applications were a daily occurrence.  Finally, in January, 2002, Bill Gates sent an email to every employee of Microsoft laying out the strategy to develop security within their products.  Bill named it Trustworthy Computing – which over time morphed in to the Microsoft Security Development Lifecycle.  When it comes to developing secure operating systems and applications, Microsoft is now ranked among the best in the industry.  Bill Gates was famous for being able to pivot the Microsoft machine and finding a way to successfully change the direction and trajectory of the company.

So, what are you doing to ensure the security of the systems that you are putting in place?

Tags: SDLC, Software Development, Lifecycle, Process, Application Development, Security, Web Development, Application Security

If you'd like more information on my background: LinkedIn Profile
Posted by at
Labels: , , , , , , ,

1 comment:

  1. Mac-xtianMarch 28, 2013 at 11:01 AM

    I am impressed with your exposition here, it gives me more insight why information and application security remains vital to our current times.
    I will appreciate more issues discussed here on this matter.
    Mac-xtian

    ReplyDelete

Subscribe to: Post Comments (Atom)