Thursday, March 12, 2015

Avoiding the top 10 security flaws | IEEE Cybersecurity Initiative

 

Things you can do now to increase your piece of mind…..

The IEEE Cyber Security website ( http://cybersecurity.ieee.org ) should be one of the top five sites visited by every programming manager regardless of what primary language their team uses, what industry sector their company services, even if they don’t deal in personal or financial data.

The article I’ve linked here has one section, “Identify sensitive data and how they should be handled” is just one page that everyone needs to review and implement as soon as possible.

Here is my advice for moving forward.

  1. If you don’t have a complete and up-to-date database dictionary put one together now. Even if this means pulling a person or two off a time-sensitive project. If you can’t do that, then create a user story that would force the item be addressed during your next Agile sprint – the task, map the frick’n database already.
  2. Set aside an afternoon and mark-up your database dictionary. Identify each and every field that ties into session control, personal identification and financial transactions. At this point you aren’t making any decisions on what changes should be made, you are just identifying the fields.
  3. After you have the fields identified give each one a score on a scale of 1 to 5. One would reflect a low need for sensitive controls, a five, of course, would be a field that requires the highest level of sensitive control.

Two items need to be addressed once the three above are finished.

  1. Decide on how to best store, encrypt, separate, log any item that has a rating of a four or five. Look at all aspects of access controls from ODBC/JDBC connections (which everyone forgets about) to any additional logging you can put into place when those fields are accessed, populated, edited or deleted.
  2. Add an additional Security Review (after your Agile Peer Review) to your Agile processing for any code or process change that touches anything that is a three or higher. This is an easy process you can put into place now that will sincerely add piece of mind to you and your staff with regards to application security, but will make you a rock-star in the eyes of those who can grant you a pay increase.  Note that review must be made by someone on your company payroll – don’t (under any circumstances) allow a contractor to conduct this review.

Well, let me get off this soapbox before someone starts throwing tomatoes.

Your take-awaies -

  • Read the IEEE Cyber Security website often.
  • There are things you can do now to make your applications more secure.

 

Avoiding the top 10 security flaws | IEEE Cybersecurity Initiative

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)