The most important thing you can do to integrate Security into your SDLC process is to get started. It doesn't matter if you pick Microsoft's SDL, CERT's SQUARE process, Gary McGraw's Touchpoints, or NIST's SP800-64 just get started!
Jeremy Dallman has put together a series of posts using the analogy of "crawl, walk and run" in the SDL blog as a way of providing some basic starting points that would move your organization toward implementing a version of Microsoft’s Security Development Lifecycle (SDL). He has completed the Crawl and Walk posts, these posts are worth looking at if you have not started working on integrating security into your SDLC.
Friday, July 25, 2008
Tuesday, July 22, 2008
2008 Security Survey: We're Spending More, But Data's No Safer Than Last Year
An InformationWeek article indicates that companies are behind in implementing encryption to protect customer and employee data. The article also states:
"We had hoped that the ongoing parade of high-profile data losses would set most companies on the road to comprehensive privacy protection. So we were discouraged that the only actions to safeguard customer data that are used by more than half of companies are ... informing employees of standards and putting a privacy policy on the Web site. Fine steps, but they don't exclude the need for encryption (used by 34%) or privacy policy audits (25%). Amazingly, 11% say they have no privacy safeguards for customer data. Zip. Zero."
I think encryption is only one of the many steps you can take, an even better approach is to have risk management programs in place that allow you to understand what data you are collecting, and making sure you have a real business need to store it -- for example, why does your HR department even need all of the personal information they collect from a potential job applicant if they don't follow-up on 98% of the resumes they receive?
Understanding ways to mask and minimize the amount of data you collect, while still achieving the goal of the business should be the first priority of any organization's data owners.
"We had hoped that the ongoing parade of high-profile data losses would set most companies on the road to comprehensive privacy protection. So we were discouraged that the only actions to safeguard customer data that are used by more than half of companies are ... informing employees of standards and putting a privacy policy on the Web site. Fine steps, but they don't exclude the need for encryption (used by 34%) or privacy policy audits (25%). Amazingly, 11% say they have no privacy safeguards for customer data. Zip. Zero."
I think encryption is only one of the many steps you can take, an even better approach is to have risk management programs in place that allow you to understand what data you are collecting, and making sure you have a real business need to store it -- for example, why does your HR department even need all of the personal information they collect from a potential job applicant if they don't follow-up on 98% of the resumes they receive?
Understanding ways to mask and minimize the amount of data you collect, while still achieving the goal of the business should be the first priority of any organization's data owners.
Sunday, July 20, 2008
Where is your Laptop?
Today's Chicago Tribune has a article which has to make one pause:
"More than 12,000 laptops are lost each week at U.S. airports, according to a study conducted for Dell by the Ponemon Institute, a research think tank. Only one-third of laptops lost and found in airports are reclaimed, the study said."
I guess that means that two thirds of the laptops are never missed by the persons that lost them? I wonder how much personal or customer information is on those?
"More than 12,000 laptops are lost each week at U.S. airports, according to a study conducted for Dell by the Ponemon Institute, a research think tank. Only one-third of laptops lost and found in airports are reclaimed, the study said."
I guess that means that two thirds of the laptops are never missed by the persons that lost them? I wonder how much personal or customer information is on those?
Thursday, July 17, 2008
Microsoft announces new SDL Website
Microsoft has recently launched a dedicated Security Development Lifecycle website at www.microsoft.com/sdl. This website will serve as the main online presence for all SDL related communications and resources from Microsoft. This website has links to various tools, including the SDL Blog which recently had a posting on SQL Injection Defense Tools.
What would you like to see in a Security Awareness Seminar?
I'm beginning to work on materials for a Security Awareness Seminar to compliment my Privacy Awareness Seminar. My target audience consists of developers, architects, testers, project managers, and development managers. I'm looking for ideas on what might interest an audience like this, and could fit into a period of 4 hours, since I know that development teams are always crushed for time.
Some thoughts that I had were to possibly focus on the OWASP Top 10, which includes topics like XSS, and SQL Injection. I don't think we would have the time to go into depth on Secure Coding Techniques, that is probably best handled by a text like Michael Howard's Writing Secure Code, Second Edition.
Some thoughts that I had were to possibly focus on the OWASP Top 10, which includes topics like XSS, and SQL Injection. I don't think we would have the time to go into depth on Secure Coding Techniques, that is probably best handled by a text like Michael Howard's Writing Secure Code, Second Edition.
Microsoft Advisory Targets SQL Injection Attacks
Take a look at this article in Application Development Magazine regarding SQL Injection attacks. It references a Microsoft Security Advisory which identifies several tools to assist administrators with these attacks. These tools cover detection, defense, and identifying possible coding which may be exploited by an attacker.
Subscribe to:
Posts (Atom)