Security: Wrap Up

Just in case you haven’t been reading my past couple of posts – I’ve been discussing security.  Specifically, the need for organizations to take proper steps up-front within their development lifecycles to mitigate the risks of being hacked.

If you still don’t think this is something to be worried about, let me give you some information:

• A Forbes article in 2011 states that the average cost of a private information leak was $6.3 million: Forbes: Data Breach
• When crackers took down Sony in 2011, they reported that it cost them $170M to clean up the mess and put their sites back on-line: The Bright Side of Being Hacked
• As Verizon indicates in their report, many of the organizations hit did not experience direct losses.  They did end up spending money on forensics and recovery losses – how much can your company afford to pay an external forensics team to determine if you’ve lost data or not? Verizon: Data Breach Report

Unfortunately, cracking is not as difficult as you might think.  Here is a link that shows how crackers expose passwords once they’ve stolen the files off your system:

• AirsTechnica: How I Became a Password Cracker

If you really want to scare yourself – go to YouTube or Google and search on ‘How easy is it to hack someones computer’.  

This is the easy stuff – there are dedicated web sites used by professionals where they pass around password lists, sell and purchase stolen data, or give each other access to networks that they’ve cracked.  With a few clicks they can purchase or give away thousands of “identities” – ie: the customer data that they steal from you.  Are you keeping customer’s names, addresses, phone numbers, email addresses?  This is all stuff that the hackers want to get their hands on.  Even more so if your storing credit card information in your systems.  Do you keep bank account information and routing numbers so that you can process electronic checks?  Again, this is something the crackers will be after.

You may believe that your small potatoes and that the bad guys only concentrate on larger companies.  Nothing could be further from the truth.  They are scanning the internet and looking for weaknesses – they don’t care how big or small you are.  If you have a vulnerable system – they want to find it, they want to exploit it and they want to take as much as they can.  You need to build security in from the outset, you need to continually apply the latest security patches to your infrastructure and you need to ensure that your development teams – internal as well as external – are using industry best practices to mitigate security risks.

So, if my previous articles didn’t make you think seriously about incorporating security best practices within your organizations and the systems you develop, hopefully this article has helped tip the scales.  You need to review all of your systems, those built in-house and those purchased off the shelf or custom developed for your organization and you need to ensure that they provide the necessary security protections.

Tags: #sdlc, #softwaredevelopment, #lifecycle, #process, #applicationdevelopment, #security, #webdevelopment, #applicationsecurity

If you'd like more information on my background: LinkedIn Profile