From equanimity to Equifax
Here we go again. Another terrifying breach of data, of trust, and more concretely, of a mission-critical application that manages sensitive data. Attorneys general, Congress, the FBI, the Associated Press, the intergalactic cyber task force, and everyone else are now investigating what went wrong at Equifax. Almost certainly, the board of every company that deals with sensitive data held their emergency meeting last week to get a sense of their own security posture and issue an urgent action plan to find and remediate any security gaps that may bear a resemblance to this exploit. Many boards these days have a member who is a cyber expert. Most cyber experts are former CISOs, and most CISOs are former network security specialists. Thats because investment in network and perimeter security has outstripped application security by a factor of 23:1 taken cumulatively from the inception of the cybersecurity profession. Boards and many CISOs dont understand software design, architecture, or construction. Its a black box that should be tested, patched and monitored. Managing the composition and construction of software remains a job for developers and vendors. Its common pablum these days to say that software powers everything we do. But do the majority of us really understand what that means? Very few in IT organizations have a software risk scorecard, and most board members dont even know to ask for one. We here at CAST have been tilting at this particular windmill for the better part of 10 years now. Mostly falling on deaf ears. We just hire good developers to make sure we have good, secure code. Or, we hired XYZ vendor because they have a strong SDLC process. Or, my all-time favorite these days, we have an automated unit test environment in our DevOps toolchain. Uh-huh. But, do you know if this application uses Struts? And does it use the Struts framework correctly?
Read Full Article at http://www.infoworld.com/article/3225912/open-source-tools/from-equanimity-to-equifax.html
Tags: action, application, architecture, breach, company, composition, congress, construction, cybersecurity, Design, emergency, environment, equifax, everyone, everything, expert, exploit, factor, framework, investment, majority, meeting, member, network, pablum, posture, process, profession, resemblance, scorecard, security, software, understand, vendor, windmill