Welcome to 2018. Don't let a world on fire burn you.12th January 2018
#1: The Secure Code Warrior platform and backoffice is hosted in AWS. They have been working on this #embargo issue for a while.
#2: As a customer extremely concerned about security, we are working with AWS and all of our vendors to ensure patches and protections are in place.
#3: Secure Code Warrior will continue to monitor the situation and will work with vendors and customers to protect data.
Phew, now that we have addressed the current day crisis of #Meltdown and #Spectre, let’s dive into a few other ideas.
First, please don’t take take point number one above as being glib. Security issues with hardware are concerning, scary even, and in cases where it is so widespread, tragic. However, there is only so much we can do. Yelling or finger-pointing or spreading fear will not help fix the issue and will not increase security. However, here are five simple steps we can all (and should) do right now to improve our security posture.
- Patches and upgrades: Do them. Most enterprises are great at patching the basic stuff, but struggle to patch everything. Now is the time to patch. Every. Darn. Server... Even that one in the remote office, sitting under a desk, in what used to be a janitor’s closet.
- Increase network activity visibility: You can’t see the activity, if you’re not looking for it. Beyond AV, tools from Tanium, FireEye, CarbonBlack, Veriato, and more can capture machine activity that can be monitored with a SIEM or SOC (Security Operations Center).
- Utilize Identity Access Management tools: Who is on your network and are they doing what they should be doing? IAM, multi-factor authentication, and PIM/PAM tools help keep the bad guys out... and the good guys in (line).
- Encrypt data: Find your data (it is probably located EVERYWHERE), ID the sensitive information, and encrypt it. Data that is encrypted and managed correctly is worthless.
- Build and write code better: At the end of the day, if the code is weak, it WILL be hacked. We live in a world reliant on software. Contrary to public belief, it is software development, not technology, that is at the heart of it all. Most organizations I have worked with view developers as add-ons to their technology, “the +1’s to the wedding reception”, so to speak. This view is incorrect. As with any skill (reading, math, driving, public speaking), greatness comes from practice and awareness. For many developers, secure coding techniques have expanded and improved from when they first learned to code. Providing developers with ongoing application security training and secure coding tools that cover the OWASP Top 10, can be the most cost effective, impactful steps an organization can take to enhance its security posture.
The next few days, weeks, and months are going to be hectic as everyone panics about this most recent security event. Before you become overwhelmed, think through your security checklist (use the one I provided here, if you need one), plan action steps to move forward, and work through your plan. Good luck and code securely.
What did you think? Do you want to add additional thoughts? Let us know!
Follow us on twitter @SecCodeWarrior
Follow me on twitter @ravici
Most organizations I have worked with view developers as add-ons to their technology, “the +1’s to the wedding reception”