I recently took some time off which gave me the opportunity to clear my head and think about some of the big issues we’re facing with Internet security. I thought if I had to pick one thing, what would be the greatest Web vulnerability out there? Then, of course, my over-analytical mind kicked in and the internal debates arose. I realized that there’s much more to this puzzle. There are technical flaws, there are operational issues, and there are user concerns – all of which contribute to or, depending on your perspective, take away from Web security.
After thinking about it some more I realized that I could indeed come up with one thing that causes the most problems on the Web. That one thing is ignorance. Not to be demeaning but rather to highlight the state of mind of those in control. From executives who control the purse strings and business culture to government bureaucrats who write the regulations to users who have the power in their hands to screw up and get themselves and your business into a bind, there are so many problems with Web security that could be fixed if we just had the attention and the buy-in of the people.
Ignorance of the issues is at the root of practically every Web vulnerability we face. Be it the technical flaws such as SQL injection and cross-site scripting or operational issues such as no standards and lack of vulnerability testing, we’re just not where we need to be with Web security. And unless and until we focus on the right target, we’ll continue to struggle with Web security. It’ll be a continuous loop of 1) develop code, 2) deploy system, 3) experience a breach or fail an audit/assessment, 4) track down the why and how of the flaws, 4) fix the flaws, 5) start all over again.
I understand that quality is a continual process. Be it with automobiles, healthcare, clothing – whatever – we have to learn from and improve upon our mistakes. That’s the way things work in most industries. I just don’t think we’re anywhere near this phase of the game when it comes to IT, software development, and information security.
Web security – and information security in general – is a choice and you simply cannot change what you tolerate. It’s time to stop ignoring the realities of what’s taking place once and for all. Anyone in management hearing this?