Depending on your familiarity with the IT security business, the title of this article will provoke either skepticism or a sly smile. In either case we can quickly agree that perfect security in its absolute form is unattainable, right?
However, if we define perfect security as the level of security measures needed until hacking the system becomes more expensive than the potential gain of doing so, then the term becomes more operational. Quantifying the hacker's gain should also include the system owner's loss of reputation, production time and system recovery efforts.
Achieving perfect security thus depends on the system, and on the data processed and stored. Furthermore the required security measures needed to attain perfect security must be tailored specifically to that system. Eugene Kaspersky described an example of perfect security at the Copenhagen Cybercrime Conference CCCC 2016 for critical infrastructure such as power plants: It has to be cheaper to fire a conventional cruise missile targeting the plant than hacking it.
This could be the golden age of computer hacking and Cybercrime. Stories ranging from identity theft to near ingenious skimming of petrol from refineries are common nowadays. The IT industry has come a long way in securing infrastructure components so attackers are forced to move up the stack to the application layer to find the vulnerabilities.
Criminals tend to be some of the most creative people in this world; they continually find new ways to exploit loopholes and weaknesses. The breathtaking pace at which new products with internet connectivity are being released to the market should induce a chill up your spine. Examples include alarm systems, television sets, cars, coffee machines and similar devices). Security is often a second consideration for some vendors. A lot of doors are being opened for the creative cybercriminal.
The Open Web Application Security Project – OWASP was founded in 2001 and provides a wealth of publicly available information regarding application security ranging from the top 10 critical web security risks to tools testing an IT system for vulnerabilities – all of this information is provided free of charge.
All of the vendors implementing the IT systems I have had the pleasure of assessing security for are aware of the OWASP Top 10, and most have security experts guiding their developers, and yet every single system had at least one vulnerability in the Top 10 category. Those vulnerabilities were then risk-assessed and found to be critical enough to warrant additional mitigation before production go-live.
Having just a few designated security specialists in an organization with dozens if not hundreds of developers will not eliminate critical security vulnerabilities. It would be much more beneficial to have every developer producing code that is resilient to the well-documented top 10 critical vulnerabilities than having selected systems assessed by specialists at top hourly rates resulting in additional rework just before go-live.
Achieving perfect security will continue to be impossible unless we raise the bar of every single developer in our organization who delivers code to production systems.
We have at NNIT in our Microsoft Solutions Department had great experiences with a one-day course introducing our developers to secure design, threat modeling, security coding, OWASP top 10, security testing and best practices regarding privacy based on the Microsoft Security Development Lifecycle for Agile methodology. Except for the specifics on mitigating OWASP Top 10 vulnerabilities in C#, the material is generic and reusable across any development platform.
The idea is to give developers knowledge and tools while integrating those into the daily processes. This helps to ensure a higher quality of security implementation for every system developed.
Perhaps you noticed in the above figure that the training segment of the Microsoft SDL for Agile is marked as an Every-Sprint practice underscoring the point that training is not just a first step, but a step that must be revisited often.
Perfect security should be a driving ambition for every IT system we as an industry deliver. Is your organization already delivering perfect security or should you raise the bar and take the first step?
I wish you a safe journey to perfect security.
This is an article from NNIT Security Insights, a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.
NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage.
You are welcome to contact us at firstname.lastname@example.org if you want to know more about how NNIT can help your business increase its information security level.