Keeping your Security and Cybersecurity Development Chops up to Date

Developers and users read, almost daily, about sites being hacked, credit card information being stolen, intellectual property being taken and other security exploits. Most company’s executive teams now include Chief Security Officers (CSOs). Developers and operational teams inside their companies need to focus on ensuring the security of the systems they build. As a developer , whether they are part of a security based company or team, need to stay up to date on the latest security aspects of software development. Are you keeping your development security chops up to date? Do you keep track of the state of the art in secure computing? Do your apps and your company sites have the right security features? If your apps use or run in a public cloud, does your provider give you the security you need? Is your community site still using HTTP instead of HTTPS? These are good and timely questions to ask of yourself and your company.

In a recent press release, “North American Developers Are the Only Ones Worrying About Cyber Warfare“, Evans Data reported on recent global developer survey results related to security, cyber crime and cyber warfare. The survey, conducted in six languages across four continents showed that developers in both the emerging Latin American and Asia-Pacific regions view the largest threat as “Intellectual Property Thieves and Corporate Spies”, while those in the EMEA region cited “Cyber crime syndicates” as the threat we should be most concerned with. Only in North America was “Cyber Warfare from Nation States” cited by a significant number of developers. This concern was number one in North America. You can read about additional findings in the Evans Data press release.

Security Blogs, Sites and Services

I keep up to date on what is happening with software and security by reading the security news, reading a few security blogs and following some of the sites focused on secure computing. You and your team members should spend some of their time keeping up to date as well. Here is a good starting list of top security related sites with articles, blogs and links.

• Krebs on Security – Brian Krebs, a former Washington Post reporter, is a prolific blogger and security industry luminary who writes about security news and investigations. On his About the Author page he writes “Much of my knowledge about computers and Internet security comes from having cultivated regular and direct access to some of the smartest and most clueful geeks on the planet. The rest I think probably comes from a willingness to take risks, make mistakes, and learn from them.”
• Schneier on Security – “Bruce Schneier is an internationally renowned security technologist, called a “security guru” by The Economist. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press.”
• Information Week’s Dark Reading – “Long one of the most widely-read cyber security news sites on the Web, Dark Reading is now the most trusted online community for security professionals like you. Our community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.”
• Kaspersky Labs’ Threadpost – “Threatpost, The Kaspersky Lab security news service, is an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.”
• Wired’s Threat Level – “Wired talks privacy, crime, and security online, delving into clever hacks and workarounds and reporting on the latest security news impacting consumers and professionals in the field.”
• US-Cert (US Department of Homeland Security) – “US-CERT strives for a safer, stronger Internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world.”
• Norse Corp Live Attacks – World map with live attacks showing attack origins, types and targets. “Norse is dedicated to delivering live, accurate and unique attack intelligence that helps our customers block attacks, uncover hidden breaches and track threats emerging around the globe.”
• FireEye Cyber Thread Map – cool animated global map showing a live subset of real attack data. “FireEye protects both large and small organizations committed to stopping advanced cyber threats, data breaches and zero-day attacks. Organizations across various industries trust FireEye to secure their critical infrastructure and valuable assets, protect intellectual property and avoid bad press, costly fixes and downtime.” FireEye’s current threats and blog posts.

The platform and device vendors also provide articles and information for developers. Here are a few articles and sites:

• Google – Secure your site with HTTPS and last year announced that search is prioritizing secure HTTPS URLs over regular HTTP ones. A recent blog post covers “Understand security issues” for Chrome DevTools. With the Android operating system and the ability to side load APK files, Google provides developer with security tips and best practices. The Google Online Security site is also a good source of information.
• Apple iOS Security Guide (PDF) – “Apple designed the iOS platform with security at its core. When we set out to create the best possible mobile platform, we drew from decades of experience to build an entirely new architecture.”
• Microsoft’s Internet Safety and Security – Microsoft’s site for safety, privacy and security. The site includes links to security resources and information for individuals, families and companies.

Cyber Warfare Sites and Information

• RAND Corporation Cyber Warfare – Cyber Warfare research and insights – “RAND research provides recommendations to military and civilian decision makers on methods of defending against the damaging effects of cyber warfare on a nation’s digital infrastructure.”
• Financial Times Cyber Warfare news – reports and articles about cyber warfare, hacks and more.

 

 

Security Scanning for your Sites

There are many tools you can use to check the security of your sites. Check out the following services.

Qualsys SSL Labs – SSL Server Test  – “SSL Labs is one of most used tools to scan SSL web server. It provides deep analysis of your https URL including expiry day, overall rating, Cipher, SSL/TLS version, Handshake simulation, Protocol details, BEAST and much more.”

WordPress Security Scan by HackerTarget.com – online security test for WordPress sites.

 

Are you using best practices for appdev and system security? Share your story

I am always looking for stories about security. If you want to share your security best practices and the sites and technologies that you follow, post a comment on this DevNet panel blog post.

David I.
VP, Developer Communities
Evans Data Corporation
davidi@evansdata.com
Twitter: @davidi99