What can we learn from the top security breaches of 2021? What can we communicate to our team from these breaches to make plans for 2022 and beyond? Any fun Log4J related ones?
I want to address that breaches are normal and getting hacked is normal. If you look at the Hacktivity of HackerOne you can see crazy security holes in your favorite app.
The key is to get real and accept it’s always possible so you need to have a plan ready for when it happens.
Never trust a developer that says “we develop secure” because nobody does. Never accept “we did a pentest, we are secure” as an answer. It’s one of the most BS answers there is
I think we need to shift security more to the left and train ourselves as testers in security awareness to get the basics right.
Absolutely! I believe they are very normal and feel there is huge value in observing breaches of our competitors specifically but if we have the capacity to do so, other breaches to see what we can learn from them. It can often shape our learning pathways and even our design pathways.
I am very much with you on this!
One thing especially the Log4j security breach teached us, was on how dependent we are all on open source projects.
I totally do agree with you @kristof that we really have to accept that even though we invested a lot of time in testing still there might be a security breach somewhere hidden in the system. This comes basically down to the simple truth that you cannot guarantee that a system is error free, but only that it meets certain criterias.
Regarding to open source projects however the situation still could be improved. Right now it looks to me it is only a giving from the creators of open source projects and only a taking from a lot of companies who take thankfully the piece of software without giving anything in return. This can lead to problems as these people now might not have enough resources to maintain the software properly. So one lesson we could defenitly learn is that we should give more credit to open source projects, which would lead to a higher quality. In the long run it would maybe even be cheaper for some companies to invest a certain amount of money or manpower into open source projects than to clean up the mess after a security breach.
Excellent points Samuel! Definitely agree that the open-source community is often taken for granted.