- It’s important to remember what total security is unachievable.
“The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one.”
—Dennis Hughes, FBI
- Zero-day attacks are becoming very common now-days and occur when a system or application weakness is discovered and attacked within one day. Zero-day exploits name came from the fact that developer or a company has “zero days” of awareness of a problem. We can’t achieve 100% security, our security level should match our needs and goals.
- Security level has to be re-evaluated periodically. Security has to be a concern of everyone, all the time, it can’t be just one person. Executive support will be crucial to success, it’s very important to establish regular security reviews. We need to review all technologies in use (hardware, software), review code in use and still in development, review procedures, access privileges.
- Better development practices has to be implemented. Developers might be asked to write software tests for common security vulnerabilities, for example if a Cross-site request forgery (CSRF) is a concern for the company developers might be asked to write test that attempt to perform CSRF on a company website.
- Write a Security Policy. Security policy has to communicate how information assets are protected, establish rules and guidelines to work with that assets. All stakeholders should be involved, everyone can be a stakeholder: developers, business users, executives and so on. Policy should be reviewed periodically.
- How to write Security Policy:
- Define the scope.
- Identify and classify data to be protected or controlled (databases, source code even images).
- Map the interaction of people and systems.
- Define the handling procedures for each type of data.
- Designate user or department responsibilities.