Information Security Blog

Security Incidents Drive Integration of Security Into SDLC’s

Thought that Errata Security’s recent survey mapped well to what we have seen regarding Application Security Practices:

While 50% of software development companies say “security is ‘always’ a concern …” only half of those firms have a formal Systems Development Life Cylce (SDLC) in place.
Software developers usually wait for a security incident to occur before calling in a security expert. Companies then look to to integrate secure coding practices as a response.

It’s very interesting to me that while the vast majority of developers/application owners recognize the importance of security, SDLC’s are usually non-existent, do not adequately integrate security, or are not complied with. This would imply that it is a resource constraint: time and/or knowledge.

Time constraints are illusory in that the failure to address security adequately in early solution stages is well understood to ultimately cost more time than it saves.

This infers that it is a knowledge constraint (perhaps exacerbated by a time constraint). This “feels” consistent with what we see during security assessments or during incident response. What may be surprising is that it is often business management’s lack of knowledge relating to application security that is most impactful, as they “own” the responsibility to ensure that an SDLC is in place and operating as intended.

We recorded an on-demand webinar around OWASP that addresses this knowledge constraint. Enjoy.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

Substantiate the net effectiveness of a mature control environment
Prove to a third party that an environment is secure/trustworthy
Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
To validate that significant changes did not have unanticipated results