Thursday, February 21, 2008
Is your web application secure...
There are many folks who can rattle off tons of security features that they have used in the past, but few understand that security is not about features and therefore are peddling snake oil to their clients...
One of the major problems with security in general, is that it is not "visible" to the masses. Consider the fact that on September 10th, secure airplane doors did already exist and even a few smart airlines bought them in advance, yet the masses didn't understand its importance until after an attack already occured. The real question is to we want to be proactive in finding potential exploits in our web applications and ECM systems or is being reactive sufficient?
One of the major problems of why enterprises still continue to suffer from security breaches is that no one is watching the hen house. Typically, Enterprise Architects got into their position because they had the ability to learn, see trends and were usually the best technologists. Of course, we must redirect their value proposition to things of higher value such as creation of compelling PowerPoint where the details matter less.
Many security professionals do their best to educate others but are often confronted with two phrases which are highly problematic. The first is the infamous, this isn't in my budget. Could you imagine me being in charge of constructing a new bank and telling the bank manager, excuse me, I didn't have the budget to build the vault securely, but here are these nice sturdy paper bags to keep your money in. This is exactly what most IT professionals practice.
Of course, you could be from the school of thought that uses the other cliche phrase of I don't understand. If you don't understand, does that mean it isn't important? Should security folks waste time explaining everything until the dimmest of the bunch understand? I wonder if you expect a hacker to call you up and ask for a slot on your release calendar in order to align with your ITIL goals? While you are busy distilling things into IT executive speak, hackers are busy understanding the details of your infrastructure and looking for weakness.
One of the best ways to become secure is to discourage insulting firms and software vendors from talking about security as if it is feature. Likewise, security is everyone's job and it requires everyone to stop thinking that they are secure and to start thinking more like an attacker. A little paranoia in the enterprise hasn't hurt anyone...
| | View blog reactionsOne of the major problems with security in general, is that it is not "visible" to the masses. Consider the fact that on September 10th, secure airplane doors did already exist and even a few smart airlines bought them in advance, yet the masses didn't understand its importance until after an attack already occured. The real question is to we want to be proactive in finding potential exploits in our web applications and ECM systems or is being reactive sufficient?
One of the major problems of why enterprises still continue to suffer from security breaches is that no one is watching the hen house. Typically, Enterprise Architects got into their position because they had the ability to learn, see trends and were usually the best technologists. Of course, we must redirect their value proposition to things of higher value such as creation of compelling PowerPoint where the details matter less.
Many security professionals do their best to educate others but are often confronted with two phrases which are highly problematic. The first is the infamous, this isn't in my budget. Could you imagine me being in charge of constructing a new bank and telling the bank manager, excuse me, I didn't have the budget to build the vault securely, but here are these nice sturdy paper bags to keep your money in. This is exactly what most IT professionals practice.
Of course, you could be from the school of thought that uses the other cliche phrase of I don't understand. If you don't understand, does that mean it isn't important? Should security folks waste time explaining everything until the dimmest of the bunch understand? I wonder if you expect a hacker to call you up and ask for a slot on your release calendar in order to align with your ITIL goals? While you are busy distilling things into IT executive speak, hackers are busy understanding the details of your infrastructure and looking for weakness.
One of the best ways to become secure is to discourage insulting firms and software vendors from talking about security as if it is feature. Likewise, security is everyone's job and it requires everyone to stop thinking that they are secure and to start thinking more like an attacker. A little paranoia in the enterprise hasn't hurt anyone...
