4 Penetration Testing Tips: Interop Preview - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
4 Penetration Testing Tips: Interop Preview
Newest First  |  Oldest First  |  Threaded View
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
10/7/2014 | 12:46:41 PM
Re: Brushing & Flossing
Stratustican.

If you go about the whole process honestly,Openly and Transparently and show them the Big Picture I see no real reason why Developers would be resistant to the whole process(or against it).

After all,they also want to deliver the Best Products out there-Don't they?

Its beyond essential that we implement and embed Security in SDLCs today.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
10/7/2014 | 12:44:20 PM
Re: Brushing & Flossing
David,

Yes that probably explains why Security in SDLC slows things down so much today.

Its very much a chicken and Egg situation currently.

Because we don't do enough of it we don't have enough trained folks and because there are'nt enough Trained folks out there.Software Development Teams are reluctant to go the whole Hog and embed Security in Lifecycles of Software designed today.

Somebody has to take the first step.Else nothing changes.

Regards

Ashish.
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
9/24/2014 | 1:40:15 PM
Re: Brushing & Flossing
I think there is also a bit of stigma for developers to ask or allow the security teams to pen test their applications for fear that there might be a significant hole that requires revisions to the application, resulting in longer development cycles, especially if they have to go back and revise the design to fix these flaws.  Having security as part of the development cycle in earlier stages would definitely help in many cases.
zerox203
100%
0%
zerox203,
User Rank: Ninja
9/24/2014 | 12:48:00 AM
Re: 4 Penetration Testing Tips
I'll second that the dentist/doctor analogy is a perfect one. After all, if you're only looking to do the bare minimum, you might as well do it yourself, and save your money on the 3rd party firm (This part extends to the dentist analogy as well)! When you call in the dentist, you're looking for two things - routine, necessary care that you can't do yourself at home (penetration testing and things that required specialized analysis/horsepower), and specific issues that may have slipped through the cracks. sometimes the latter will include seemingly obvious stuff, and that's okay - just make sure you've done your due diligence first.

I do think that faster dev cycles and generally faster-paced business culture have a lot to do with these breaches and gaps in security. There are probably a lot of best practices that could improve how we work security into agile development (etc.) from the get-go, but it seems unlikely that we can ever reach old levels of deligence. After all, the whole idea of speeding up dev cycles and slashing red tape is that we were doing too much, right? And after all, there's some fairness to that. 3-4% for a company like target is huge, but is it really that much more than adding 10% or 20% to their dev time? Depends on your perspective.
Ashu001
100%
0%
Ashu001,
User Rank: Ninja
9/23/2014 | 1:20:41 PM
Re: Brushing & Flossing
David,

PRECISELY!

You Nailed it perfectly here.

This is the Single most important reason why it takes longer than it should in Development Cycles.

The Notion about SDLC is something which needs to kick in Bigtime rather than just as a fancy buzzword(which has unfortunately become today).

Regards

Ashish.
David Wagner
100%
0%
David Wagner,
User Rank: Strategist
9/23/2014 | 1:17:10 PM
Re: Brushing & Flossing
@ashu001- David would definitely agree with you that you need someone driving this. I wonder about the idea of security taking too long in the development cycle though. i wonder if that is because we just aren't doing it. It takes longer at first to do a lot of things and then we practice them and they get faster.
Ashu001
100%
0%
Ashu001,
User Rank: Ninja
9/23/2014 | 1:14:17 PM
Re: Brushing & Flossing
David,

The Analogy was most Apt.

I am sure David will be a superb Speaker at Interop.

These are a lot of very basic but also very useful tools that unfortunately most Organizations miss.

The reason is that Security Teams are not Embedded within Development Teams from the Beggining.

If they were,Development would (initially) be a very slow and cumbersome process but then you would save a whole lot of Pain and Agony in The Long-Run.

The Other thing is about the fact that most Development Cycles have gotten way too fast today and these Teams can't tolerate obstacles from anyone Let alone Security.

So unless we see a top-down order(embedding Security compulsarily in place);nothing much will change.

Regards

Ashish.
David Wagner
100%
0%
David Wagner,
User Rank: Strategist
9/23/2014 | 12:12:50 PM
Re: Brushing & Flossing
@Drew- The analogy is all from David Rhoades. He's really great at giving you a reason for everything he does. He should be a great speaker at Interop this year.
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
9/23/2014 | 11:47:34 AM
Brushing & Flossing
I love the dentist analogy here. So much about risk management and security is taking care of daily basics. You gotta brush and floss if you want to avoid a lot of pain later at the dentist. And frankly, it's refreshing to hear a security company say they don't have silver bullets. No one does, but that's not a message you hear very often in the market.


The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Slideshows
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Can Low Code Measure Up to Tomorrow's Programming Demands?
Joao-Pierre S. Ruth, Senior Writer,  11/16/2020
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll