By now it's pretty clear that Web security issues are business issues that cannot be ignored. Many well-publicized Web attacks combined with PCI DSS, the recent HITECH Act and similar regulations, have pushed Web security onto the radar of business leaders. Given where we're at with Web security, we've arguably advanced beyond the "firewalls + SSL = security" mindset but we have a ways to go, especially with Web 2.0 technologies.
The way I see things now is that we have a lot of hype surrounding Web 2.0 that management doesn't necessarily understand. Where there's a lack of understanding, there's a lack of buy-in and thus the cycle of limited support – and continued security breaches – will continue. As IT professionals it's relatively simple for us to understand the inherent security flaws in Ajax, Web Services, Flash, and other Web 2.0 technologies. But how can you take what you now know as this relates to development and testing and translate that into management speak that means something to them? More than anything else building trust and credibility are key to getting people on your side.
Here are six things you can start doing right now to do just that:
- Show management that you're interested in doing's what right for the business. After all, if it weren't for the underlying premise of the business – to acquire and keep customers – your skills wouldn't be needed.
- Explain to management, in the most basic terms possible, what Web 2.0 means to your business. No bits and bytes but rather software functionality that can provide a better user experience, enhance marketing, or reduce server/Internet processing requirements. Any development and testing tie-ins you can throw in such as standardized languages and toolsets will also be of benefit. Once they understand what Web 2.0 is about and how critical it is to the business you create the foundation for the security tie in.
- Provide examples of Web 2.0 security weaknesses and share with management how they can affect your business. Explain why Web 2.0 weaknesses are not really all that different from Web weaknesses of the past. They're just exploited a little differently using newer technologies. If anything, just explain how Web 2.0 complicates things in the developing and testing stages and increased complexity brings increased unknowns.
- Outline the ways you've had to tweak your development and QA processes and toolsets to accommodate for these newer technologies.
- Talk about how Web 2.0 threats and vulnerabilities don't discriminate based on application type or line of work you're in. The risks are there regardless.
- Communicate what it's going to take to fix the issues at hand. This means finding out where your applications are weak and then outlining how specific controls can fix specific security flaws which, in turn, address specific business requirements.
- Prove that your development, QA, and related security efforts are paying off. Document your involvement and what you're finding with Web 2.0 security issues. Regression tests, penetration tests, and source code analyses can all be used to demonstrate current weaknesses as well as how previous Web 2.0 risks have been mitigated.
You might not claim to be a sales professional but if you're going to get management on your side you've got to approach Web 2.0 security in this way. In fact, the ability to sell is one of the base skills those of us in IT must possess. To do it right you have to be vigilant and continually keep security on the top of everyone's mind – even within development and QA circles. Over time, by properly communicating to management Web 2.0 security concerns to management you'll demonstrate its importance and open their eyes as to why they should care. It may not seem like it's worth the effort but I can guarantee you it is. Having your team and management on the same page will help create an environment of trust where everyone can lower their guard and work together to improve software quality. That's what this is all about anyway.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books, Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). He's also the creator of the Security On Wheels IT security audio books.