You can't secure what you don't acknowledge.SM

Friday, July 1, 2011

Get over yourself

The late, great Richard Carlson once said:

"Humility and inner peace go hand in hand. The less compelled you are to try to prove yourself to others, the easier it is to feel peaceful inside."

I believe this theory explains why so many people in IT and information security are so stressed out. I'm also convinced that this concept is the basis for all the bad choices and negative behavior we've seen in the world of IT and information security as of late.

Moral of the story: Don't be this guy...That is if you want to have inner peace and you want to go places in your career.

Monday, June 27, 2011

The value of partial code scanning, now

Check out my new piece on the business value of partial code scanning where I outline why it's better to start your source code analysis now instead of waiting around until certain milestones of your development projects are reached or your software applications are completed altogether.

It's kind of funny and ironic that we humans are all about instant gratification, yet with information risk issues such as source code analysis, we tend to want to wait until everything's perfect (and way more costly) before we get started. This reminds me of the Mark Victor Hansen quote:

“Don't wait until everything is just right. It will never be perfect. There will always be challenges, obstacles and less than perfect conditions. So what. Get started now. With each step you take, you will grow stronger and stronger, more and more skilled, more and more self-confident and more and more successful.”

I wrote this article in conjunction with the nice folks at Checkmarx who happen to produce the best static source code analysis tool I've used...especially given its price compared to the competition - it's not even in the same galaxy as some of the others out there. Definitely worth checking out.

Dropbox "bug" = why the cloud cannot be blindly trusted

I've been ranting about "the cloud" (what a tired term) for a couple of years now. As if we haven't seen enough examples lately of why we cannot put all our eggs in the cloud basket, here's one more with the "code bug" that impacted Dropbox's authentication mechanism over the weekend.

Sure, Dropbox isn't an enterprise cloud app per se but I'll guarantee you it's impacting your enterprise this very moment. Think data backups, intellectual property, PII, password safes and whatever else your users are syncing across their multiple systems.

How do you explain such exposures to management or to your board when something like this happens. Do you say "Well, our cloud provider said their system was secure because they use SSL and, furthermore, have a SAS 70 Type II audit report to prove it." or "Our legal team approved of the contract and the SLA and gave us the go-ahead."??

I don't know that management will ever get on board the way they need to but cloud insecurities will certainly work themselves out in the marketplace - and in the courts - and eventually get on the radar of the people that matter.

This Dropbox dilemma is a relatively small and insignificant example of what happens when you completely rely on others for information security. I'm not saying don't use the cloud. I'm saying get your arms around the cloud before it impacts your business in a negative way. Odds are it's going to somehow and everyone will be looking at you for a well thought out response.