So, as we all know, IT Security involves a lot of useless theater. What I learned today at LASCON 2013 is that really good defensive programming involves no theater - only hard work on the part of engineers.
I took part in a training today at LASCON 2013 from Matt Tesauro - "OWASP Top 10" relating to what's important in application security. Matt was an invited speaker and incredibly talented security professional from Rackspace. Rackspace must be very committed to application security to allow Matt the time to teach this course.
Security Theater involves drama, where identities are lost, people are hurt, company reputations are ruined. OWASP is all about preventing drama. While there are laws (HIPAA, SB1386, SOX, breach disclosure laws) and standards (PCI, NIST, DISA STIG and Safe Harbor), the bottom line for security is how well applications are coded. No amount of auditing and regulating make an application safe - only good programming practices and diligence do that.
The OWASP Top 10 hasn't changed much recently. It's about time (IMHO) that more security training is required of programmers - like OWASP's. Less drama, more insightful programming.
One more observation. A legion of security professionals I know are not developers. Even if you're not a coder, take the time out of your busy day to learn something about application security, and become intelligent about the issues programmers face, if you intend to be effective in helping your company achieve better IT security.
No comments:
Post a Comment