1. Pentests: a patient is rather alive than dead?
2. Human factor: when error is just a matter of time
3. Working from home vs. GDPR: the devil is in details
4. Know who you are talking to: don`t underestimate communications
Please select your cookie preferences before getting in touch
Thank you for reaching out to Sigma Software!
Please fill the form below. Our team will contact you shortly.
Sigma Software has offices in multiple locations in Europe, Northern America, Asia and Latin America.
USA
Sweden
Germany
Canada
Israel
Singapore
UAE
Australia
Austria
Ukraine
Poland
Argentina
Brazil
Bulgaria
Colombia
Czech Republic
Hungary
Mexico
Portugal
In the first part of this article, we have talked about the ways in which your customers may check if your statements of the security matter in your company line up with reality. Now let us focus on how to ensure that your security practices are actually working and how to avoid the numerous pitfalls on this way.
1. Pentests: a patient is rather alive than dead?
2. Human factor: when error is just a matter of time
3. Working from home vs. GDPR: the devil is in details
4. Know who you are talking to: don`t underestimate communications
Implementing pentests is a good practice, if… if you know the drawbacks. First thing to reveal is that penetration tests are quite expensive and time consuming. And they are often done before the product release. You already see what`s happening, do you?
On the stage, when the product is almost ready, the pentests can only say if the patient is alive or dead. If the pentest shows that the product is insecure, your major release will most probably be broken, while you`ll put yourself in a situation when you cannot fix anything since you have exhausted the budget.
You can easily avoid this using a “shift left” approach. Don`t neglect taking the time on the very first stages of the project to write the security requirements. Creating a one-pager with basic rules is much cheaper than re-doing the whole product. The earlier you start implementing security practices, the cheaper they will be.
If your quality and safety processes heavily depend on a human factor, sooner or later, the system will fail. Not only is it important to adopt good security practices, but also crucial to implement tools that automate them.
Let’s imagine a project, where all security practices are done manually. Once a customer on such a project asks for a report on product scanning and whether the latest patches are installed on it. Sadly, it turns out that there is no tool on the project that does it automatically and everything is tied to a person, whose task is to come and install the patches from time to time. You do realize, that this person has some other things to do, right? So, it is just a matter of time, that this person will miss the updates because of the tight schedule or some personal reasons. Moreover, the manager most likely does not control this process. Defend yourself from unpleasant discoveries, when you have to confess the client you can`t ensure security on the project. There are many simple and free tools that help to eliminate the human factor, make software more secure and your customer happier.
By the way, outdated patches are the most common reason for data breach. The world becomes faster day by day. The old standards for updating patches once per month are no longer in place. So, make sure you have installed them as quickly as possible after identifying a vulnerability.
With pandemic spreading on, we found ourselves in a situation where we were forced to work outside the office. Many people started working with their home PCs rather than office equipment. Are you sure everyone at your team have a licensed antivirus software at home? Do you think all your employees install security patches at home?
Think for a moment what will happen if an unsecure machine will connect to the customer`s production site? It may infect the client`s network, and even worse. It may be a cause for data breach and personal data leakage, which entails serious consequences and fines according to the General Data Protection Regulation. Not mentioning the ruined reputation. Do not allow such a situation – make sure your team works on secured machines, whether corporate or personal.
Looking for a reliable IT supplier to help you create secure solutions?
Find out how we develop software with cybersecurity practices in place.
Another thing to avoid is shared accounts. This automatically violates the GDPR rules and lead to heavy consequences as well.
If your customer invites you for a meeting to discuss a security issue, your first job is to find out who will attend it from the client`s side. It is OK for a Project Manager not to be an expert in security. There are people, who learned the matter. Ask them for help. It is always the best, when you are on the same page with your customer. To make it happen, you have to speak the same language with them. Be honest, you invite architects to the meetings, where you suggest discussing architecture issues? Why security should be a different case?
Do not be shy to invite the security experts from your side as well as to make sure you and your client are walking in the same shoes.
One more tip here is do not wait until your customer asks about security. Don’t be afraid to bring up this topic, be transparent and honest. The desire to send a report that contains no vulnerabilities is understandable. However, sooner or later the truth will be revealed, and you will lose the client`s trust once and for all.
Detecting a phishing letter is not always a difficult task. It may contain suspicious links, may be sent from unknown emails, though on behalf of the person you know. However, most importantly, such a letter evokes emotions. Receiving it, you may want to do something immediately – click the link, open the attachment, answer the letter, and so forth. Don`t do that! Take your time, think for a minute, especially if the letter looks strange in some way. Follow the basic rule: first think, then act. And make sure your team knows this rule and follows it.
Rodolfo Assis (@brutelogic), a Security Researcher, once said: “Hacker only has to be lucky once, you need to be lucky all the time”. Don`t make yourself a victim by following several very simple rules:
Stay tuned for the third part of the article, where we`ll talk about implementing the security processes in SDLC and avoiding all the pitfalls and unpleasant surprises we have revealed over the two previous parts.
Dmytro has been working in IT for over 20 years. He started his career as an information security specialist and also tried his hand in other areas: Quality Assurance, Business Analysis, Project Management, People Management, and others. In recent years, he has focused greatly on information security and achieved considerable success in it. Today, Dmytro is the Head of the Information Security Department and has extensive experience in process building and team management. He is a well known speaker at specialized events and a trainer at internal and external courses of Sigma Software University.
1. Pentests: a patient is rather alive than dead?
2. Human factor: when error is just a matter of time
3. Working from home vs. GDPR: the devil is in details
4. Know who you are talking to: don`t underestimate communications
AI is one of the most powerful weapons in the fight against cancer. It is revolutionizing early detection methods and treatment planning, applying data analytic...
Mental health and wellness platforms are one of the most powerful tools to help people find support, advice and resources when they want to work on themselves. ...
DISCLAIMER: We’re not an official Dexcom partner. Information on how to interact with Dexcom’s devices is available in their API documentation: https://develope...