In recent years, the media attention on the lack of security has increased. Every day we hear about data being stolen, systems being hacked and held for ransom and now even election campaigns being targeted. What reason do you have to believe that your company name will not be among those being thrown out in the media?
One thing I have learned in my career is that security cannot be patched on later in the product life cycle. It is not a feature. Security has to be built into the architecture of an application, just like security has to be built into the architecture of a building. It doesn’t matter how fancy the alarm system you have is, if it relies on the phone line or a power cable that is exposed on the outside wall of your home.
So if you have a system that is not fundamentally set up to be secure, it will be extremely costly to make it secure. Just like the house, if the architecture didn’t take security into account, there will be a lot of expensive renovating going on to make sure the security gets up to par.
Companies use many applications today, most of them written entirely or at least partly by third party developers. This means that there is not a lot of control the company has on the security precautions that those developers build into their software. This is even more true if it concerns a product, instead of a custom built application. For developers, building a secure system is hard, and thus is more expensive than not explicitly thinking about security.
A while ago we noticed the devastating effect this can have, as hackers exploited a vulnerability in hundreds of thousands ‘smart’ devices. The exploit was then used to cripple the internet in almost the entire United States. The reason this was possible? Because no one wants to pay $100 more for a secure smart TV, that does exactly the same as an insecure one. And more importantly; you cannot tell the difference when you’re buying it.
If your company is currently using applications of which you are unsure that they provide security against the most widely used hacks, there are ways to get certainty. There is a host of tools available online that will scan your application and system settings for the most commonly exploited vulnerabilities. An even better approach, used by some of our customers as well, is to hire an independent security specialist to perform a penetration test.
When a security specialist performs a penetration test, they use the same online tools available to you. The difference of course is their knowledge of application security, which they will also use to manually test the application. Such a penetration test results in a report, which will identify vulnerabilities, each with a specified severity ranging from trivial to critical.
With such a report you get a better understanding of the quality of security your application provides. It is advisable to perform a penetration test at least once a year. Make sure that the person who performs the tests is independent.