DZone
Performance Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Performance Zone > Three Brass Monkeys

Three Brass Monkeys

Security is one of the most talked about issues in IT these days. Brett Crawley looks at security: how legislation helps or fails to, and precautions to take.

Brett Crawley user avatar by
Brett Crawley
·
Mar. 08, 16 · Performance Zone · Analysis
Like (2)
Save
Tweet
2.42K Views

Join the DZone community and get the full member experience.

Join For Free

Why We Mustn't Take Security For Granted

Just because we "Hear No Evil, Speak No Evil and See No Evil" doesn't mean that it isn't there. This is how we should think when considering application security, the day you see an attack, you hear about an attack or are spoken to about an attack it's already too late. Not hearing about attacks is a good thing but not to be taken for granted. If you are a software house and one of your systems is attacked, this can be enormously damaging to the image of the company. It could if you haven't included certain disclaimers in your license agreement, be crippling for the company as you may also be liable for damages.

For all you know you may already have been hacked and not even know it, if the hacker was good, only when you start to take security seriously and look might you discover.

Is Legislation the Answer?

Currently, governments are talking about creating legislation to force software houses to give greater consideration to security.

What exactly that would mean is yet unclear because there isn't a clear line where you could say that the company is at fault, it would be very much open to interpretation. It may be that companies have to demonstrate that they have taken certain precautions for example:

  • that they have implemented/used secure coding practices
  • that they have certified members of staff that perform code reviews
  • that they have used tools to analyze binaries or sources automatically

Perhaps it would only be applied in cases where the company is clearly negligent because they have not taken any precautions to protect the interests of their customers or maybe the laws will be more stringent.

It would be extremely difficult to lay the blame entirely at the feet of the software developers, where should the line be drawn. Often a product may rely on system libraries which may themselves have security holes and as such need updating regularly, at best the software house could release a bulletin averting the customer. Therefore, if the customer is not updating their systems responsibly they should equally be liable for any breaches that occur.

Likewise, everybody can make mistakes but if certain procedures have been put in place to try and alleviate any of these mistakes and the company can demonstrate paperwork to that effect then it may be that this is sufficient to demonstrate that the company isn't negligent.

You can read the points of view of a couple of others bloggers with regard to the question of legislation here and here

One thing is certain security needs to be taken more seriously with the ever increasing number of breaches that we are seeing.

What Precautions Should We Be Taking?

Things that we should certainly be doing to improve security in the industry are:

  • Code Signing
  • Encrypting Sensitive Data
  • Secure Coding Practice Training
  • Code reviews (NOT just functional)
  • Static Analysis (Binary and Source)
  • Penetration Testing
  • Staying up to date on security advisories
  • Logging to trace intrusions
  • Log analysis/reporting
  • Certification
  • Single Sign-On (Kerberos/SAML/OAuth)

Things that customers should be doing to protect themselves:

  • Encrypting their data
  • Restricting Access
  • Regular Backups (including off-site)
  • Keeping libraries up to date
  • Using a firewall
  • Using an antivirus
  • Using spam filters
  • Using anti-phishing filters
  • Training to protect against social engineering attacks.

This is just the tip of the iceberg but it's a start. As I become more informed in this area of expertise I will keep you up to date with the latest techniques.

security

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Pre-Commit Hooks DevOps Engineer Should Know To Control Kubernetes
  • Building a Login Screen With React and Bootstrap
  • Take Control of Your Application Security
  • Flutter vs React Native. How to Cover All Mobile Platforms in 2022 With No Hassle

Comments

Performance Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo