In the first part of this article, we have talked about the ways in which your customers may check if your statements of the security matter in your company line up with reality. Now let us focus on how to ensure that your security practices are actually working and how to avoid the numerous pitfalls on this way.
Implementing pentests is a good practice, if… if you know the drawbacks. First thing to reveal is that penetration tests are quite expensive and time consuming. And they are often done before the product release. You already see what`s happening, do you?
On the stage, when the product is almost ready, the pentests can only say if the patient is alive or dead. If the pentest shows that the product is insecure, your major release will most probably be broken, while you`ll put yourself in a situation when you cannot fix anything since you have exhausted the budget.
You can easily avoid this using a “shift left” approach. Don`t neglect taking the time on the very first stages of the project to write the security requirements. Creating a one-pager with basic rules is much cheaper than re-doing the whole product. The earlier you start implementing security practices, the cheaper they will be.
If your quality and safety processes heavily depend on a human factor, sooner or later, the system will fail. Not only is it important to adopt good security practices, but also crucial to implement tools that automate them.
Let's imagine a project, where all security practices are done manually. Once a customer on such a project asks for a report on product scanning and whether the latest patches are installed on it. Sadly, it turns out that there is no tool on the project that does it automatically and everything is tied to a person, whose task is to come and install the patches from time to time. You do realize, that this person has some other things to do, right? So, it is just a matter of time, that this person will miss the updates because of the tight schedule or some personal reasons. Moreover, the manager most likely does not control this process. Defend yourself from unpleasant discoveries, when you have to confess the client you can`t ensure security on the project. There are many simple and free tools that help to eliminate the human factor, make software more secure and your customer happier.
By the way, outdated patches are the most common reason for data breach. The world becomes faster day by day. The old standards for updating patches once per month are no longer in place. So, make sure you have installed them as quickly as possible after identifying a vulnerability.
With pandemic spreading on, we found ourselves in a situation where we were forced to work outside the office. Many people started working with their home PCs rather than office equipment. Are you sure everyone at your team have a licensed antivirus software at home? Do you think all your employees install security patches at home?
Think for a moment what will happen if an unsecure machine will connect to the customer`s production site? It may infect the client`s network, and even worse. It may be a cause for data breach and personal data leakage, which entails serious consequences and fines according to the General Data Protection Regulation. Not mentioning the ruined reputation. Do not allow such a situation – make sure your team works on secured machines, whether corporate or personal. Another thing to avoid is shared accounts. This automatically violates the GDPR rules and lead to heavy consequences as well.
If your customer invites you for a meeting to discuss a security issue, your first job is to find out who will attend it from the client`s side. It is OK for a Project Manager not to be an expert in security. There are people, who learned the matter. Ask them for help. It is always the best, when you are on the same page with your customer. To make it happen, you have to speak the same language with them. Be honest, you invite architects to the meetings, where you suggest discussing architecture issues? Why security should be a different case?
Do not be shy to invite the security experts from your side as well as to make sure you and your client are walking in the same shoes.
One more tip here is do not wait until your customer asks about security. Don't be afraid to bring up this topic, be transparent and honest. The desire to send a report that contains no vulnerabilities is understandable. However, sooner or later the truth will be revealed, and you will lose the client`s trust once and for all.
Detecting a phishing letter is not always a difficult task. It may contain suspicious links, may be sent from unknown emails, though on behalf of the person you know. However, most importantly, such a letter evokes emotions. Receiving it, you may want to do something immediately – click the link, open the attachment, answer the letter, and so forth. Don`t do that! Take your time, think for a minute, especially if the letter looks strange in some way. Follow the basic rule: first think, then act. And make sure your team knows this rule and follows it.
Rodolfo Assis, a Security Researcher, once said: “Hacker only has to be lucky once, you need to be lucky all the time”. Don`t make yourself a victim by following several very simple rules:
Stay tuned for the third part of the article, where we`ll talk about implementing the security processes in SDLC and avoiding all the pitfalls and unpleasant surprises we have revealed over the two previous parts.
Thanks to Dmytro Tereschenko, my colleague, Head of Information Security Department for this article. Dmytro has been working in IT for over 17 years. He started his career as an information security specialist and also tried his hand in other areas: Quality Assurance, Business Analysis, Project Management, People Management, and others. In recent years, he focused greatly on information security and achieved considerable success in it.
Previously published at https://sigma.software/about/media/security-pm-5-ways-make-your-project-more-secure