Dear “Enlightened Masters (EM)”, your memo reached my desk earlier this week. This is my response – shared in public.
The time is nigh. Information Technology is moving forward in a rapid pace. Every year we see new and important tools powered by IT to make life easier. We’re talking about banking, online shops and more that I can’t fathom in my young life. Each of these services handles delicate information about us like personal and banking information. I’d hate to see any of these tools expose such information – I’d also hate to see them go down cause of silly things like DDOS and XSS. Dear EM – since you represent a company going into these markets I would hate to see you enter it without knowing the risks and how to handle them. I’ve been advocating computer security half of my life and I am dying to help you out. Implementing and advocating computer and information security isn’t easy. It doesn’t matter how good my points are when EM’s management don’t want to pay up the costs of implementing it. Listen to the story of the company “The Company” (TC)
TC decided that they were to reach for the biggest tenders. Of all tenders in this market they’ve narrowed the list of potential customers to around 150. These 150 customers are the biggest nationwide and they all have two things in common. They are all tied to one specific software vendor and they all demand a “high security focus in all project phases”.
TC got hold of many tenders. Most of the tenders asked for security. Can’t blame them- banks and whatnot’s need to feel secure. So – since TC had little to none experience handling security they set out to answer the questions. Armed with a minimal budget and no clue what to do they started answering tenders with “yes -we can do security”. So – when the customers asked for what TC’s policies were TC responded: “We do secure coding and we got a silver bullet software that we’ll use during development that scans the product for security holes and whatnot”. As a gesture TC offered to rent a professional pentest company to do “some” testing just before the product shipped.
Shit hit the fan since TC underestimated what the customers actually knew about security. It turned out that TC couldn’t answer the most trivial questions. DDOS, XSS, SQL injection, Secure coding, clean desk policy – nah never heard of.
In my mind computer security is pure knowledge. Deeper knowledge of the systems we use, the programming languages, the databases, the hosting partners, various attacks, attack prevention, secure coding and … Maybe the most important: a deeper than deep knowledge of reality! To boldly go into the top 150’s market you must invest in knowledge. I know from experience it won’t come cheap – but the payoff is worth it if you want to play the game.
Security isn’t buying a silver bullet like the security scanner without learning how to use it and interpret the results or rent some company to pentest late in the development process. Security isn’t telling the customer “we do things securely” and having no evidence to back it up. Security is knowing what the dangers are and how to prevent them. Consultants need to know such things, and they got to learn it from someone. That someone itself needs to know stuff – and knowing stuff is best learnt by learning from others. This costs money. Sorry – since IT is fast moving Wikipedia can’t really help much.
Please don’t become TC.