The State of Being Secure: A Primer on Security in your Organization

Leave a comment

Karel Gonzalezby Karel Gonzalez, Senior Software Engineer

A few weeks ago, I had the opportunity to attend the Lonestar Application Security Conference here in Austin. Security is something I have always been mindful of during my development, but I still felt a sense of futility about it. I ask myself on a fairly regular basis “I’m doing something, but am I doing enough?”

I met a lot of great people during the conference, and heard some very interesting talks about privacy and security concerns, some more technical than others. Overall, the experience made me feel like I should start focusing on security more as a developer, and urging my peers to be more mindful of it as well.

I’d like, for a moment, to take a broader look at security. Not in any specific application, but as a concept.

Merriam-Webster defines security as “The quality or state of being secure”, and goes on to define some situations such as “freedom from danger” or “freedom from fear.” We have to read down a bit further to get the definition of security as a practice. Definition 4b(1) specifically reads “Measures taken to guard against espionage or sabotage, crime, attack or escape.”

We take measures to guard ourselves in the information age by using firewalls and antivirus software. Our developers have learned to take basic security measures while writing code for the applications you provide as a service, such as escaping user input before it is processed to avoid injection of malicious code. We use security software and/or security analysts evaluate our products to make sure they meet a set of security standards that are as current as they can be.

Despite all this, it seems like lately every time we turn to the news there is yet another major organization that has encountered a security issue. Even organizations that deal exclusively with our most private of information are being breached. These are organizations that have security teams and budgets far larger than some of the organizations I have worked for.

When a data breach happens I worry. Especially if the breach occurs with an organization that I personally do business with. The Experian breach impacted me. The Target breach impacted me. I’m sure they impacted some of you as well. I wonder what could have been done to avoid the situation. Were they keeping the software that they rely on up-to-date? Were they storing information securely?

So what can we do to make sure we aren’t the next data breach headline?

From a non-technical standpoint, it starts with cultivating a culture that doesn’t treat security as an inconvenience. Everyone in your organization should be concerned with the security of both your intellectual property, and your clients’ data. This can be difficult to do sometimes with the heavy feature-focus some levels of an organization can have. There are requirements that must be met, and sometimes security gets pushed aside. Once that starts happening however, it becomes increasingly difficult to get caught back up. If security is a focus during feature development, it becomes easier to maintain.

From a more technical perspective, we need to observe what the current security threats are and take measures to protect against them. We need to be less reliant on our perimeter security measures, and do more than the bare minimum of string escaping and the like. The reliance on software libraries and frameworks makes this difficult at times, especially if the source code is not available for audit. It’s difficult to know whether the frameworks you are using are truly secure. Security audits and penetration testing, despite the amount of time they can take, are good ways to ensure that your product meets your organization’s security guidelines.

Overall, you can never assess every threat before it happens. But with a culture of security, and a team of engineers and developers that are prepared to take security seriously, you can greatly reduce the amount of risk to your organization.

Author: bridge360blog

Software Changes Everything.... Bridge360 improves and develops custom application software. We specialize in solving complex problems at every phase of the software development lifecycle, removing roadblocks to help our clients’ software and applications reach their full potential in any market. The Bridge360 customer base includes software companies and world technology leaders, leading system integrators, federal and state government agencies, and small to enterprise businesses across the globe. Clients spanning industries from legal to healthcare, automotive to energy, and high tech to high fashion count on us to clear a path for success. Bridge360 was founded in 2001 (as Austin Test) and is headquartered in Austin, Texas with offices in Beijing, China.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s