The Elephant of Application Security

As a business manager, your daily life revolves around ensuring the smooth operation of your business, keeping an eye out for opportunities to work with customers, partners and suppliers to ensure the continued success of your organization.

In the midst of all the daily hassles you notice a number of posts on your favorite social media websites declaring a breach of sorts somewhere nearby or possibly on the other side of the earth. No matter what industry, it seems that we find ourselves entrenched in a virtual cyber-war that has begun subtly while the world was reaping the benefits of virtualization and facilitated communications.

Let's be frank, yes IT has enabled many business to become efficient, but a lot of this efficiency has come at the price of a large pink elephant sitting in the corner of all our businesses, staring us in the eye, wondering when we'll gawk back and ask- when in the world did a pink elephant walk into the room?!

The question mark drawn upon this fading and shimmering face of that elephant is: what have you done to ensure that your business is in fact not suffering from some breach of sorts that is related to IT? Are you exercising due diligence and taking initiative to find out where you stand from a security point of view where your IT systems are concerned? Has the self-questioning muse visited the blaring horns of alarm upon your mind's ears and sent you in frantic pursuit of safety from the otherwise expanding cloud of doom slowly forming?

Well no need to go to those extremes of anxiety. You know very well that there is an issue to be dealt with here and at this point you are already ahead of most players in the game. Of course as any good spiritual book on martial arts will tell you: know thyself. You can extrapolate from this advice that as a hypothetical person, your business should be able to assess itself, it's strengths and weaknesses.

Weaknesses: those points where your business might fail is particular to your own line of work, but whatever industry you engage in, risk is ubiquitous, it manifests itself in every aspect of your day-to-day business.

Begin your thought process by asking how is IT enabling my business and how dependent are we on those facilities and in what way are we entrusting our business's most valuable data to those systems. Perhaps you maintain your supply chain via a series of communications with different entities, placing orders and distributing the resources via an automated resource management system. Mayhap you rely on a data feed of stock prices from a third party upon which you make critical business decisions. No matter where you throw your gaze, an ever-vivid projection of security risk will surely materialize when you put on your risk-detection hat.

The next question you would likely ask yourself is the level of liability that you take on by utilizing technology as means for enabling and operating your business. Maybe you bought software from a known provider and entrust your transactions to the good ordinances of the all mighty and large software giants of the world. But then you must ask yourself, have they considered your particular situation when designing the software and are they privy to the specific configurations and customization that your business has required for that software. Dub this the off-the-shelf risk that you've acquired.

Step back a moment and think. You run a practical business that can do without the large inefficiencies of general-purpose software. You've gone through the numbers and you've decided to get the software specifically tailored and built for you by a trusted software development business that happens to be of a smaller, efficient size.

Being practical, you put yourself in the shoes of your provider and imagine the steps they must have taken to ensure the safety of your data and business that happens to very much depend on their software. You recall a heavy urgency to build out the software in the shortest time possible -naturally- since you had wanted the software delivered last month and it just made it. You think further about how that all worked out. Yes, analysts visited your office and they listened intently as they gathered from you the basic requirements of your software, creating a somewhat rigorous document detailing all the features and use-cases you've pondered over and were satisfied with. You think of the design documents that you looked over and remember vaguely that a section on security discussed firewalls and feel reassured about the whole thing.

In walks your security expert alter-ego, and slaps a file onto your desk, a stern look on her face as she gesticulates in pain "We've been hacked!"...

As the cold shower subsides, you begin to think back, how could this happen? A firewall should have ensured that you were well protected. Your alter ego sits herself down opposite yourself and looks into an imaginary sunset, she begins to ask you questions you think you might have asked yourself (as you are literally doing so)...

• Did the creators of the software provide you with evidence of proper security testing having been conducted on their systems? -No
• Did the creators of the software ask you about the different roles of people in your business handling the various critical transactions and what their levels of authority were? -No
• Did the creators of the software describe to you how your data was being protected while in storage or in flight for transactions? -No
• Did you practice your due-diligence in getting a reputable third-party to assess and accredit the security of the software system before putting it into operation and entrusting your business to its capable nibbles, bits and bytes? -No

And here you slap your forehead and say to yourself, "I'm glad this is all hypothetical; I'd better make sure the software we're about to pay for is actually trust-worthy"