With all of the talk around the importance of web and application security, why is there so little focus on the corporate databases, which store the most valuable data? Last week, at the annual Computer Enterprise and Investigations Conference, Threatpost had the opportunity to sit down with noted security and database expert David Litchfield to find out. During his career, Litchfield has uncovered hundreds of vulnerabilities in software from IBM, Microsoft, and Oracle. He’s perhaps best known for his database security research.
Browsing Author: George Hulme
“Failure is only the opportunity to begin again, only this time more wisely,” is a quote attributed to legendary automaker Henry Ford. While it seemingly has nothing to do with secure application development, all you need to do is talk to a handful of enterprises who have tried to implement a secure development lifecycle – and you’ll certainly see how it applies.
After winning the attention, and hopefully the backing of executives, as we covered in The Challenge of Starting an Application Security Program, it becomes much more straightforward to win the funding needed for the right tools, services, and training needed for secure application development.
Since organizations started opening their internal applications to the Web, a little more than a decade ago, it became clear that the security of those connected applications would be more complex – and critical to get right – than before.
One of the greatest knocks on the information security profession is that IT security is always asking for budget to spend against the latest threat, only to abandon the cause like harried firefighters, jumping from one conflagration to the next.
SAN FRANCISCO–There’s the old joke about two hunters running from a lion, and the one runner says to the other: we can’t outrun the lion. And his buddy replied, “I don’t have to outrun the lion, I only have to outrun you.” Many, over the years, have applied the same logic to application security: If their software is ‘secure enough’ attackers will move on to easier targets.
SAN FRANCISCO–If you are in business long enough, you’re going to get hacked and you’re going to have to call the cops. Maybe you’ll need their help finding the perpetrators of a crime in which your business was victimized. Maybe employees will have conducted a crime involving IT, or maybe you’ll simply be asked to help investigate a crime conducted against someone else. The fact is: your business will engage with law enforcement at some point, and you better be prepared. Sadly, few businesses today are.
You’ve been robbed. Maybe you don’t know to what extent. Perhaps the crook simply took the opportunity to snag a notebook sitting in the back of a car and doesn’t care about the data. Perchance it was a planned burglary and now a competitor or political activist group has gigabytes of potentially embarrassing emails from one of your top executives. Maybe attackers grabbed sensitive medical files, and are now extorting you: pay-up or the files are released publicly.
[img_assist|nid=7859|title=|desc=|link=none|align=left|width=100|height=100]With increasingly sophisticated exploits and well-informed adversaries targeting systems and data – fighting for more security budget is essential. Too bad, then, that management doesn’t always agree.
A gusher of Web applications vulnerabilities, malicious insiders and
sophisticated malware threaten networks and data. To keep your systems
reasonably secure, what will your security focus be during the year