December 28, 2010 at 5:07 pm #5919mchugh48Participant
Application Security is designed to keep your users data/information secure
from being read slolen, or destroyed by malicous people and processes. Security cannot be added as an afterthought, it must be built and restitant to attack. There is usually a big push to get an application out the door and devilered and it takes some strong persusion to build in security from the start. What ways are others out there using to persuade business and government to build in secure coding. Sometimes , I have noticed that using FUD – Fear Uncertainty and Doubt can be effective, but that should really be necessasary.
Tell me what you think!
December 29, 2010 at 2:46 pm #37082caissydParticipant
Hi mchugh48 and welcome to the forum!
I have faced this dilemma many times. Here is what I have done:
1) Build a presentation showing how to add security to every step of the SDLC (Software Development Life Cycle). I focus on cost reduction by “thinking” about security in the early stage;
2) Show them how, by implementing security into the development framework, we could same a lot of $$$ on subsequent projects. For example, creating a solid filter for user input in web applications could easily be reused by all other projects using the same platform.
3) Security training for developpers. I personally do free “Lunch and hack” sessions at work about twice a month. In these sessions, I will talk about a single topic, for example SQLi, demonstrating an attack or two and showing them how to protect themself. This is also a great way for me to make them aware of my skills (Hey, I am a contractor ;))
4) If you end up finding vulnerabilities before the system goes in production, talk to management about how this costly mistake could have been easily avoided by doing xyz earlier.
I hope this can help you.
December 30, 2010 at 7:41 am #37083AnquilasParticipant
Interesting starting points, I’m hoping to install similar habits where I work one day.
Question: do you get a lot of response on those ‘Lunch and hack’ sessions? I’m curious to see what amount of developers can actually be intrigued by these topics.
January 5, 2011 at 5:59 am #37084Empires89Participant
Security is a huge part of every infrastructure and application project. It can’t just be ignored or weakly implemented. This results in major losses down the road, and is more costly. What happens when your application or project has a security flaw or is exploited? You lose customers, you lose money, you lose trust, and your reputation is ruined. Surely the cost of a little prevention is worth it.
I can’t say I’ve ever dealt with a project that had an unreasonable time frame for completion. When my boss once demanded I setup a web-based application with an unreasonable time frame I flat out told him “No.” I implemented basic filtering and network/firewall restrictions on this web-based system. Lo and behold, a couple months later, the application’s programmers found a flaw that allowed crackers to access the admin panel and steal user data. Since I implemented restrictions on our server I saved us from being cracked and having our customers be exploited.
Speak money to a company and they’ll usually listen. Tell them that making security a focal point in the beginning often reduces the chance of exploits. Like H1t said, sometime you can make a security application that can be used in several different projects, and that saves a lot of time and money.
January 11, 2011 at 8:20 pm #37085caissydParticipant
I agree with Empires89!
To answer Synquell question: I get a very, very good response from people for my “Lunch and Hack”. But it needs to be really interesting. They don’t want to study like us…
I found that doing a “real” demo, like scanning their own machines or querying the whois database for the company info interests them a lot. But strangely, hacking a web server on a VM on my laptop gets much less interest. Go figure! It needs to be visual and entertaining.
I guess it’s like a magicien show. Who cares about what is the trick, we want to be blown away!
- You must be logged in to reply to this topic.