So you need to start caring about Security and Privacy
Posted on May 23, 2013 in Uncategorized by adamNo Comments »

Every company has a moment where they are forced to care, I mean, really care about Security and Privacy. Sure, you should always care in the back of your mind, but at some point it comes front and center and a key pillar of everything you do. The question is whether you are going to be ready for when it comes. Odds are, no. (Because if you were, you would already be caring.) I’ve seen this moment happen a couple times, so here is my list of things you now need to pay a whole lot of attention to.

First, Security and Privacy are related, but different. In hand-wavy terms; Security is related to keeping information in and the bad guys out, and Privacy is about individual people’s information in your trust. And it is a trust, not a right.

With that, here is my brain dump on the topics.

Security

  • Who is the officially designated person for security problems?
  • Physical security – padlocks on the cage, etc.
  • Can people wander the office without being questioned?
  • Is all input validated on the backend as well as the frontend
  • Disarm all input
  • Disarm all output
  • Don’t blindly use user provided strings in queries
  • PCI compliance?
  • Don’t store your password in the clear…
  • The first question about any change should be ‘what are the security ramifications’?
  • Do security bugs get put into the main bug database?
  • How are security things disclosed

Privacy

  • Who is the officially designated person for security problems?
  • Do you know what PII (Personally Identifiable Information) you have
  • Do you know what flows the PII participate in?
  • People need to be bucketed based upon their informational needs
  • Don’t clone your production database down into lower environments — without scrubbing the PII
  • Do not display PII to anyone other than the owner of it. (Unless they really need it.)
  • PII should be encrypted in the database
  • Thou shalt not grant access to the production database
  • Log the stink out of access, including read, of things that contain PII
  • The second question about any change should be ‘what are the privacy ramifications’?
  • Do privacy bugs get put into the main bug database?
  • How are privacy things disclosed
  • What legislation around PII affect you? And in what jurisdiction? Is it where the head office is? Where the app is hosted? Neither?

Writing secure code is actually not that hard. We know how to do this. At this point it is really just sloppy code. But putting the people and process around how the code that is generated is hard.

This is just a quick off-the-top-of-my-head list, but the key thing to remember is that its not paranoia if they are actually after you. And ‘they’ are.