Read in LinkedIn click here
The darkest shadow lies beneath the candle
It is hard to digest when we hear a BIG company was hacked! WHAT!! They have a super-strong security team, cutting edge technologies, modern infrastructure then HOW?? It is not only with the big companies. more or less every company is experiencing the same threat.
The truth is, a security team must prevent EVERY attack, but the hacker has to win ONLY ONCE.
Who is responsible?
We get this first question when something goes wrong. In case of security breach, it is YOU who is responsible. Sounds harsh? Let me rephrase it. The responsibility is with each team or individual directly or indirectly involved with the system which was hacked. Starting from programmer/developer, tech lead, manager, architect, testers, security team, compliance team, management to organization’s, CTO, CIO. If I have missed any IT role please add it here.
Why had it happened?
The reason behind the flaw is of course knowledge first then negligence. The flaw may be created by one person, but it was overlooked by others who are responsible for the quality of the system.
IT is a fast world. We are always agile. Never settled. We update our systems hundred times a day. Which is expected and we should be doing fast and faster. But I have seen many to compromise multiple critical factors just to match with the shortest time to market with competitors.
Where is the flaw?
Education: The flaw stats from education system. Most of the universities do not tech how to write secure code. People pay to universities for big degrees and actually learn from free online materials. Developers are great in creating microservices, AI system, design complex and big systems but near to zero knowledge in how to protect the system which they are developing.
IT Process: Second most responsible is the IT processes in more or less every organization. Yes. You have read it correct. It is the IT process. Most of the workforce is still unaware about why security is required or what is IT security.
Maximum IT professionals are great in dialogue about great systems, but more than 80% IT project managers do not know what is ‘Shift left’ process. 20% who are aware about it many of them neglect to follow it. The upper management does not bother about what process are being followed. For them it is just getting into the market before their competitors.
In maximum cases, ‘Quality’ and ‘Security’ are the fancy words for the power point slides only.
As a result, we are creating a heaven for hackers.
How to safeguard?
The answer is not easy. Many organizations are putting hundreds of brains to create safe secure system. I know you may be thinking then what is for you? Don’t forget, you are one of the brains in that organization. Even if you are not in security team or manager or someone from upper management but you must follow ‘SECURITY FIRST’. Do not ever think of making/supporting a system if you do not know how to protect it.
May be fast time to market will bring you highest profit but second day the whole organization can be grounded for a security breach.
- Follow ‘SECURITY FIRST’ principle.
- Focus on quality of code NOT quality
- Start with security scope even before designing your system
- Starting from coding, code quality, security vulnerability should be checked
- At every phase of SDLC , static, dynamic and interactive security test, security scan (application, Infrastructure, network) should be implemented.
- NO MANUAL TEST. Every test should be automated.
- Infrastructures should have latest patch
- Compliance and security approval should be at every stage of SDLC
It is a huge list, and it continues… But it is achievable with modern automated CICD techniques. Learn and guide others to learn.