I suppose, you have all seen my first YouTube published presentation, that I was holding in Athens. So you also know, that I was talking about security in IT. This presentation is also the one, that I had to repeat the most often till now. Most repetition have obviously been done for my employer and for our contracting partners. I do not want to repeat here, what I was talking about (because you can see this for yourself), but I want to tell you about 2 extremes that happened to me, when I approached some of our partners with security topic.
I am sure, that we have all noticed, that security concerns have risen drastically in last couple of years. But not only concerns, also company management and leaders are much more opened to discuss, listen and support our security efforts. This certainly is also true for my employer. So I got a task to approach companies, that are developing software for us. On average feedback is very positive, constructive and forward looking, but there sure are exceptions. Let me describe you 2 very different responses I got…
This response represents majority of companies I approached.
Most of the development partners, we are working with, do not have dedicate security team, in most cases there is a single person, that has taken upon him/her-self to lead security game in their company. This means, that we cannot expect from them to know, or have very much experience with security topics, that are HOT at the moment.
“This is great, we were already long thinking about this, but never had time to deep dive into security…”
“We are already doing, this and that, but could you please tell us more about…”
“We think, that we see too deep into your environment and would love if you could limit our access a bit…”
“You are following security related topics so close and even have access to insights? Could you share your findings more often?”
I must agree, that getting such responses from developers is very welcome and somewhat surprising, because developers were till now not known to care about security. This makes my work easier and brings security talks to whole another level.
I am happy, that negative and ignorant responses are very rare. But I was nevertheless shocked about one particular response I got not so long ago. Here I am translating most of the answer and I will withhold my comments…
“You want to make security check of our application? But why? Application is not visible from internet at all and it is visible only on your network and behind your firewalls. Furthermore, it can only be used by your users, that are authenticated by username and password. This way we see no way or any vulnerabilities that could be misused.”
I am sure, that we have not seen the last of company with 2nd response. I am not giving up on them and hope that I will be able to turn them around.
Stay curious and never stop learning!