Why still BIG companies are getting hacked

Read in LinkedIn click here

The darkest shadow lies beneath the candle

It is hard to digest when we hear a BIG company was hacked! WHAT!! They have a super-strong security team, cutting edge technologies, modern infrastructure then HOW?? It is not only with the big companies. more or less every company is experiencing the same threat.  

The truth is, a security team must prevent EVERY attack, but the hacker has to win ONLY ONCE.

Who is responsible?

We get this first question when something goes wrong. In case of a security breach, it is YOU who is responsible. Sounds harsh? Let me rephrase it. The responsibility is with each team or individual directly or indirectly involved with the system which was hacked.  Starting from programmer/developer, tech lead, manager, architect, testers, security team, compliance team, management to organizations, CTO, CIO.  If I have missed any IT role please add it here.

Why had it happened?

The reason behind the flaw is of course knowledge first then negligence. The flaw may be created by one person, but it was overlooked by others who are responsible for the quality of the system.

IT is a fast world. We are always agile. Never settled. We update our systems a hundred times a day. Which is expected and we should be doing fast and faster. But I have seen many compromise multiple critical factors just to match with the shortest time to market with competitors.

Where is the flaw?

Education: The flaw stats from the education system. Most universities do not teach how to write secure code. People pay to universities for big degrees and actually learn from free online materials. Developers are great in creating microservices, AI systems, designing complex and big systems but near to zero knowledge in how to protect the system which they are developing.

IT Process: Second most responsible is the IT processes in more or less every organization. Yes. You have read it correctly. It is the IT process. Most of the workforce is still unaware of why security is required or what is IT security.

Maximum IT professionals are great in dialogue about great systems, but more than 80% of IT project managers do not know what ‘Shift left’ process is. 20% who are aware of it many of them neglect to follow it. The upper management does not bother about what processes are being followed. For them, it is just getting into the market before their competitors.

In maximum cases, ‘Quality’ and ‘Security’ are the fancy words for the powerpoint slides only.   

As a result, we are creating heaven for hackers.

How to safeguard?

The answer is not easy. Many organizations are putting hundreds of brains to create  safe secure systems. I know you may be thinking then what is for you?  Don’t forget, you are one of the brains in that organization. Even if you are not in the security team or manager or someone from upper management but you must follow ‘SECURITY FIRST’.  Do not ever think of making/supporting a system if you do not know how to protect it.

May be fast time to market will bring you the highest profit but on the second day, the whole organization can be grounded for a security breach.

• Follow ‘SECURITY FIRST’ principle.
• Focus on quality of code NOT quantity
• Start with security scope even before designing your system
• Starting from coding, code quality, security vulnerability should be checked
• At every phase of SDLC , static, dynamic and interactive security test, security scan (application, Infrastructure, network) should be implemented.
• NO MANUAL TEST. Every test should be automated.
• Infrastructures should have latest patch
• Compliance and security approval should be at every stage of SDLC

It is a huge list, and it continues… But it is achievable with modern automated CICD techniques. Learn and guide others to learn.

See the unseen. The darkest shadow lies beneath the candle.