Hacking is becoming a major problem, both locally and internationally, and becoming increasingly clear that the methods used to date to deter hackers are woefully ineffective. New approaches to security need to be adopted if companies and governments hope to keep their ICT infrastructures safe.
According to the B2B International Survey conducted in July 2012: “Customer information as well as financial data are lost most often – 36% of the time. This is closely followed by employee data – lost or stolen in 31% of cases.
“The causes of data leakage can be both external and internal. 35% of IT specialists confirmed their companies had lost data due to malware infection – the most common external threat. The next most common causes are e-mail-based attacks (21%) and phishing (17%).
“When it comes to internal threats, the loss of important data is most often caused by vulnerabilities in a company’s software (25%) that cybercriminals exploit to infect victim computers.”
Says Ziaan Hattingh, MD of IndigoCube, a company that enables and improves the productivity of the application life cycle, “Cyber-crime has become a business, and organised cyber-criminals in eastern Europe specialise in hacking company systems and stealing valuable data.
“The FBI rates South Africa sixth in cyber-crime destinations in the world,” Hattingh adds, “we’re virtually sitting on a powder-keg.”
Traditionally, security has started with the networks that enable anyone around the globe to access anyone else (or anything else), but this is not enough. Vulnerabilities today extend into the application layer, and this is where security must begin.
Says Hattingh: “We are not good at ensuring that code is secure before we put it into production, so vulnerabilities are created. The problem is two-fold: How do you ensure the code you put into production is clean, scanned for vulnerabilities and fixed accordingly; and, how do you go back to the root of the problem and make sure software development teams can write secure code?
“We don’t want to always be going back to fix code after it’s written. We’d rather help the developer teams write code that is secure from the start.”
To that end, IndigoCube has partnered with Security Innovations, a supplier of courses that address security skills for developers.
“The courses address security as a skill for every member of the development team – from business analysts to software architects,” Hattingh says, “because it is often poor specs that create the vulnerabilities. Teach the developers to write secure code. Teach the testers how to test for security. Test the build and deployment teams.
“Security Innovations offers a long list of courses,” he continues. “They’re computer-based and from one to three hours each. All are grouped per role so that teams progress in the training and the courses become more specific for their role. As an example all will do the basics of software security but only the developers will do security for Java.”
The courses are administered online and managers can see who has completed what. This also enables people to complete the courses as and when they have the time rather than having to sit for three hours at a stretch. In total there are three to four days’ worth of training for each role.
Says Hattingh: “Teaching developers to write decent code is a small investment if you consider legislation like POPI and the cost of failures and breaches. It’s also a lasting investment that will show continuing returns.”