Sacking the Hackers

by

I couldn’t let this week go by without making at least one mention of what is taking place this weekend. This annual event held every year since the year I was born brings most of the United States to a mesmerized halt on the first Sunday in February…and this year I’ll be more mesmerized than I have been the past few years.

Yes, the event is the Super Bowl and yes, my beloved, dynastic, New England Patriots are -- for the fifth time in the last 11 years -- representing the American Football Conference (AFC) in “The Big Game.”

Now if you ask me who I think will win, I’ll tell you that dating back to mid-season 2001 I have believed the Patriots could or should win every game they’ve played. That doesn’t mean that I think there aren’t things they could do better. This year especially, I think there are things that they could do to improve their defense…but then again, what organization couldn’t stand to shore up its defense, particularly in this day and age when hackers continue to take aim at sensitive data.

Defensive Scheme

Matthew Schwartz at InformationWeek thinks there are nine ways companies can improve their defense and minimize the impact – or better yet, the risk – of a data breach. His thoughts include:

  1. Put a good information security program in place
  2. Enforce strong passwords
  3. Hide breaches at your peril
  4. Gauge breach-notification speed carefully
  5. Expect data to be breached
  6. Encrypt all sensitive data
  7. Expire your own data
  8. Beware social engineering
  9. Demand data discovery services.

These nine steps can be broken down into three categories:

  • Security measures, including encryption, security software and making employees aware of how to detect a phishing attack or potential Trojan Horse;
  • Damage control, such as don’t hide that a breach has occurred and prepare how to react if breached; and
  • Minimizing opportunity by ensuring the available block of data is too small to be worth targeting, thereby not making it worth the hacker’s efforts to breach the system.

All of these areas are sound means to address potential breaches and seem reminiscent of defensive strategies in football. Much like stopping a play at or just after the line of scrimmage, having security software in place and using encryption will help detect and forestall hackers. Should that line of defense fail, having damage control measures in place will certainly minimize the long-term effects of the breach much like a tackle made by the defensive secondary many yards downfield. Of course, the strategy of ball control in football is on par with minimizing opportunity; if there’s nothing there worth gaining in a breach, hackers likely will not do anything with what they get and will not likely to try again.

But while Schwartz does cover nine sound ways to minimize the damage of a data breach, he leaves out perhaps the tenth and most important line of defense – the “sacking of the quarterback on fourth-and-ten” – keeping out the intruders.

Stuffing the Run

Everything Schwartz discusses assumes that, if a hacker gets into a system, damage will be done and files will be stolen. But if there is no vulnerability to breach, then there is no way for an intruder to infiltrate the system.

With so many of the breaches that took place in 2011, we saw at their root some form of software vulnerability. Some of these vulnerabilities were latent issues in legacy code. Some of the issues evolved due to code that was poorly written. All were preventable -- had the companies writing the code performed structural analysis of their applications during every stage of the build process.

Software issues need to be dealt with before they become a problem, not after hundreds of thousands of sensitive data files are stolen and customers’ personal data is exposed. By ensuring sound structural quality out of the gate through a process of automated application software assessment during the build process, companies can identify vulnerabilities and form an impenetrable defense that will not allow the hackers to score.

Filed in: Software Analysis
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Jonathan Bloom
Jonathan Bloom Technology Writer & Consultant
Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|