• Prev
  • Next

5 Trends in Software Security

2015 brought a number of high-profile security breaches, putting company and consumer information at risk. Ashley Madison, VTech, even the Department of Health and Human Services had their data compromised.

It could have been avoided.

You've heard this before, but companies like DCG, and my company, proServices, will continue to bring it up until security is taken more seriously. The first step is staying aware of the latest security threats in order to appropriately ward them off. But, as one risk dies out, another will always take its place.

Risk Management

Download this white paper to learn the top 5 vulnerabilities of 2015 - and what's on the horizon for 2016.

Download

 

Rob Cross
PSC, Vice President

Written by Rob Cross at 05:00

APP SECURITY: New Year’s Resolutions & the Coming Holiday Hangover

HolidayFast forward to January 6th, 2014, the first Monday of the first full week of the New Year – the vapor trail from the parties, great food and drink has dissipated as the reality of a new year with new challenges sets in with your first cup of office coffee. 

Your boss enters the room and says, “Happy New Year, sport! What are your thoughts on changing our cyber/application security strategy this year as our department’s New Year’s resolution?” STOP! Before you answer with a knee jerk response like, “Dude, seriously … the coffee hasn’t hit my system yet to start thinking in esoteric terms and the champagne from New Year’s Eve hasn’t completely worked its way out of my system!”  What you should say is, “Chief, culture eats strategy for lunch!” 

The most successful companies of our time have achieved greatness from executing strategies driven by a culture built on fundamental core principles.  Approaching application security with a strategy-only approach will achieve results, but without having a culture of security woven into the fabric of your company, those results will be short lived. 

I will briefly discuss the six (6) fundamentals of building a secure culture in your company. None of these are absolute, and your mileage will vary depending on your company’s uniqueness. One other disclaimer: I’m briefly discussing each of these building blocks but each requires much more context than a mention in a blog, but let’s have some fun anyway.    

PEOPLE – You’re only as good as your people, and having an effective human capital strategy is essential. Many programmers and managers struggle to understand the difference between secure coding and regular programming. Establishing a continuing education program for all employees starts to remove this layer of fog and arms your most valuable resource with critical knowledge to start building in security from the grass roots. Don’t forget to build in incentives to reinforce the importance of flawless execution, and most importantly, make it fun by adding a sprinkle of gamification! 

PROCESS – You don’t know where you’re going if you don’t know where you’ve been! Having a process that is measurable, repeatable and predictable is important in laying your foundation of a secure culture. Having a process in place allows you to experiment by plugging in different concepts and ideas to see their material effect on the outcome to our security posture. This building block is not a light switch you can turn on if you don’t have it and may require some long-term planning, but is very important. 

TECHNOLOGY – Don’t stress about picking the right application security analysis tool, just pick one and go with it. Getting the technology right in the beginning isn’t as important as setting the expectation throughout the organization that automation will be part of your secure culture operations without exception. 

STANDARDS – Don’t use aviation standards to build mobile apps! There are plenty of published security standards out there. Pick the one that suits your company, product and market and spoon feed these standards to your engineering team gradually over time. It’s a marathon not a sprint. 

DATA MANAGEMENT – This is where the fun starts. You might be a little tired when you get here, but when you start to see the data being generated from all of these building blocks, the real work begins. Too many organizations fail by patting themselves on the back at this point, stopping to admire what they have accomplished. But that’s not going to be you! Understanding the data and turning the identified security risks into opportunities for your company to catapult ahead of the competition is the battle cry of carpe diem! 

TRANSPARENCY – Providing different views of the same security data to executives and engineers is absolutely essential. Understanding the importance of this information and, even more importantly, collaborating to take advantage of opportunities is the business benefit of having a culture centered around security, ensuring all stakeholders are apprised of its current status. 

So, consider yourself totally prepared to have a rocking New Year’s Eve, because now you’re armed with information. When your boss, Skippy, asks you about a sound application security strategy, you can hit a homerun and get back to recovering from your holiday hangover!

Happy Holidays and Cheers!


Rob Cross
PSC, Vice President              

 

Written by Rob Cross at 05:00
Categories :

The Next Generation of Hackers? Assess Your Application Security Now!

Baby With iPadToday’s youth … tomorrow’s threat? It’s absolutely mindboggling that kids today know how to swipe an iPad before they learn how to talk or write. Don’t you agree?

Computers, handhelds, software – the interconnectedness once foreign to people like me are natural appendages to the future generation. Why am I bringing this up? The systems and software designed today were done so by a generation that had to painfully adjust their lives to the constant interruption or disruption of technology. We have integrated ourselves into this new reality time and time again.

However, tomorrow’s generation is integrated with technology almost from birth. Sociologically, we are at a disadvantage because this younger generation will easily find ways to compromise the systems we have designed using outdated technology paradigms. Perhaps this paradox is nothing new; however, the rate of technology invention will not outpace the rate of human innovation and the ability to compromise technology in the decades to come. If you don’t believe it, check out the news story below and try to catch your jaw from hitting the floor.  

British schoolboy, 16, 'took part in world's biggest cyber attack and was found to have significant amount of cash flowing through bank account

Man at ComputerAdding some more logs to the fire, there are a number of companies beginning to dabble in the “digital black arts” (aka software development), whom traditionally have not done so in the past, such as consumer goods companies.  Additionally, there are many more companies integrating software (Open Source or Commercial off the Shelf) into their environment. But, these companies often do not understand the associated risks that come with these initiatives. The question becomes: How can these companies manage these changes and manage risk?

Like any good problem, the solution requires a holistic and layered approach, starting with cyber security. There are many opinions out there regarding the layers of security needed to sufficiently address this growing threat; I, however, will just discuss one: application security.    

It’s always interesting to me when we receive the phone call from companies, who are known to be the leader in their market, because they have a “situation.” The conversation usually starts off with a quick signing of an NDA, and then we’re immersed into the details of how the company has been compromised from not proactively paying attention to application security; and, before they go public, they need to make sure a solution is in place.

I have enormous amounts of respect for these companies, and I’m in awe of their incredible ability to execute ultra-complex, go-to-market strategies and build empires. However, when it comes to making sure their digital assets are locked down, they have fallen short and are unknowingly playing the cyber equivalent of Russian roulette. The C-level executives in these situations are typically speechless, having found out that after the millions of dollars and years of hard work spent building a loyal and strong customer base, it has rapidly started to erode in less time than it took my old Atari 2600 to boot up and load Pac-Man. 

The cyber threat is here and it’s not going away. In fact, it’s growing at a rate that is mind blowing, and with new generations in the pipeline growing up with technology integrated from the start into their daily lives, we’re in for a ride. 

iPhone AtariDoing due diligence in having an independent come into your company to assess your application security readiness needs to be part of the corporate strategy as a planned, proactive activity. Your customers and shareholders deserve nothing less. It’s not the silver bullet per se, but part of a bigger holistic cyber security strategy that will at least keep your company in good standing and perhaps a half-step ahead of the bad guys in cyberspace.

By the way, this photograph is such a violation of my nostalgic memories. How dare someone comingle an iPhone with my beloved Atari 2600. As we would say back then, “Dude that’s totally cool … NOT!” 


Rob Cross
PSC, Vice President              

Written by Rob Cross at 05:00
Categories :

Is Your Company Prepared to Defend Against a Hacker?

Rob Cross PSC colorLife has changed as we know it, and nothing is untouchable now, including your company’s brand! Example?

2.4 Million Credit, Debit Cards Hacked at Schnucks Markets

I’m not sure what to think anymore when you see the CEO of a grocery store chain called Schnucks explain how 2.4 million credit card numbers were stolen from their systems by cyber hackers. I live in New Jersey and have never heard of Schnucks before in my life, but their website indicated that they were founded in 1939 in North St. Louis; the well-loved, neighborhood grocery store.  

SchnucksPictured here are Edwin and Anna Schnuck back in 1937 (source: http://www.schnucks.com). These were the good old days before credit cards and cyber hackers. Everyone knew their butcher, pharmacist, mailman and barber by first name.  In fact, Schnucks is known as “The Friendliest Stores in Town.”  

Seventy-six years later, they have more than 15,000 employees and more than 100 stores. More importantly, they are on the “grid” and have been a target and victim of cyber attackers. It took this company 76 years to build their brand and a loyal customer base, but it took hackers less than a day to exploit this wonderful company’s unfortunate vulnerabilities and tarnish their relationship with their customers. Shameful, awful, horrific, and I’m sure if Edwin and Anna were still alive, they’d find it all very confusing.  

What is cyber security and why didn’t the “Friendliest Store in Town” have the systems in place to be the unfriendliest target to cyber criminals?  I don’t presume to have the definitive answer for either questions, but I have some thoughts.  

From my simple point of view, cyber security comes in many layers: social engineering, network protection, application security and database assurance. All are intertwined, and the weakest link cliché does apply. Because my company focuses on application security, I can speak knowledgeably on this topic. Regardless of whether Schnucks or other businesses do their own application development or they purchase commercial off-the-shelf or custom solutions, each should have its own strategy for identifying security risks and vulnerabilities.  

Trust But Verify!  

“Different strokes for different folks” applies here. Some companies prefer to do all in-house development so they can control their risks. Others buy software from vendors, feeling they have shifted the burden of risk to their vendors because of the special addition of lawyers being involved to clearly define this shift in responsibility.  

From the perspective of a company’s brand and the precious relationship it has with their loyal customer base, this burden should never be shifted and proper process and controls should be in place. My company performs numerous software security audits every year across different industries, and it’s the exception, not the rule when we come across an application that has zero security flaws. This applies to both in-house developed and third-party applications.  

Even though your company may trust its employees and your long-time vendors, you should verify that they have been following the proper process and controls. Your company’s brand is too important!  Whether it’s through a third-party, independent evaluator, like PSC, or an internal team firewalled from the vendor and internal team, your company should be forensically analyzing the applications riding on your networks and interfacing with your employees, vendors and customers for security flaws.  

There are many reasons why this critical activity is overlooked or improperly performed, from schedule compression to no secure code training for developers.  Not factoring these weak points into your software security risk model is fatal.  

As George W. Bush said, “In our efforts to discover and stop attacks, we have to be right every time; the terrorists only have to be right once.” This applies to your cyber security and application security posture. The cyber criminals only have to be right once and the hard work and millions of dollars you have spent in building your company’s brand, reputation and relationship with your customers can be erased in a nanosecond.  

On a positive note, this week at Schnucks is Super Triple Coupon Week! I wish them all the best in building back the trust of their customers. Triple coupons would get me back in the stores, but it’s up to them to ensure the security of their software!

Rob Cross
ProServices, Vice President

Written by Rob Cross at 08:00
Categories :

"It's frustrating that there are so many failed software projects when I know from personal experience that it's possible to do so much better - and we can help." 
- Mike Harris, DCG Owner

Subscribe to Our Newsletter
Join over 30,000 other subscribers. Subscribe to our newsletter today!