Preparations trump predictions when it comes to vulnerabilities
This is a guest post by Heather Wilcox. Heather, in addition to being a 2-time past presenter, is also a long-time PNSQC volunteer. She has spent over 20 years working and learning in the software industry, in a range of positions, whose job descriptions include, but are not limited to: Tech Support Engineer, IS Manager, Technical Writer, QA Engineer, QA Manager, and Configuration Management Engineer. This has given her a wide range of experiences to draw from in her current role as a Senior Quality Assurance Engineer.
I’ve been inside of and around the periphery of the Security world since 1999. In that time, I’ve learned some important lessons about security that I believe can help everyone, regardless of their level of security expertise, or lack thereof.
You have to move fast in security
I’d like to start by addressing the 2019 PNSQC theme, “A Culture of Quality.” As engineers, we love statistics, so the idea of a neat list of trending security issues is very attractive to us. But, the reality of the situation is this: A security issue is only current until it is replaced by a new, hot hack. It’s possible that, if I create a list of current issues, by the time this article is published, one or more of the items will be completely out of date.
The Hacker Dream is to create the next BIG EXPLOIT. Maybe they’re in it for money or maybe they’re in it for the sheer (twisted) joy of knowing they destroyed or shut down millions of machines worldwide. But — regardless of the motivation — at this moment, the highest echelon of Black Hats are hard at work on that Next Big Thing, which could be set loose at any moment.
So, how do you battle this kind of pernicious evil? The same way you protect yourself in the real world – awareness. I know this information is not new, but it is vital. Keeping your machine software patched and up to date, setting up your firewall and making sure you’ve got anti-virus software installed with updated definitions is not enough. Not even close.
Reducing vulnerabilities through awareness
You’ve got to educate yourself on the basics and then stay informed as new exploits are discovered, documented and remediated.
Start by knowing the OWASP Top 10, which was last updated in 2017. This is a list of the top known security vulnerabilities in Web Applications. If your company has a web server doing anything more than serving static content, this document is your security “bread and butter.” If you develop web apps, it is a mandatory read. The list is updated as new web app security vulnerabilities are discovered and documented.
- The National Institute of Standards and Technology (NIST) hosts the Computer Security Resource Center (CSRC), which is a collection of papers on security best practices and security assessment tools.
- Another must-visit site is The Sys-Admin, Audit, Network and Security Institute (SANS). SANS has been around since 1989. They have access to some of the best minds in the security industry and their site offers a series of blogs on security awareness, trends, and an array of other focused security topics. They’ll let you know what new evil is hurtling your way as soon as they know about it.
- Check out this cyber security resource created by Hitachi Systems Security Inc. It is a list of their top 10 (they updated from 7) security sites. I’ve looked at the sites and they’re definitely worth visiting. Both the NIST and SANS sites are on the list, as well as several others that will help you educate yourself on security topics and terminology as well as the latest hot exploits.
- Finally, there is Black Hat. This is one of the best conferences for security professionals. They have an extensive archive of presentations that you can access to get yourself up to speed on all sorts of security concepts, trends, and general knowledge.
The take-home message in all of this is that there is no easy answer for security. A list of current trends is great, but it’s only valid until something newer and badder is set loose upon us.
Vigilance and preparation are the keys to keeping both your network and your applications secure. The resources listed here can give you a huge head start on that work.