Security is becoming increasingly important as technology advances. Infrastructure complexity is directly proportional with the effort needed to assess if you have covered every potentially vulnerable area. And it's not only a matter of your company's security, but your online security too. Rumor has it that information has become, in this day and age, both a commodity and a tool to be used for good or…not.
Security testing is great at teaching you that even when you think you gained enough information about an application, there is always the possibility that someone else might come up with a bogus idea of cheating the rules and knock you back to square one. It teaches you to get more comfortable with the idea that you can never be sure that you know everything, and that, in turn, teaches you a form of humility: we are in a constant, ever-changing process and learning never stops.
The restrictive nature of security can put off a lot of people, myself included sometimes. You know, situations when you have to download two certificate files, generate a new password daily, jump through hoops, eat a sword on fire – just to get access to a file. Perhaps the reticence that comes with increased security has to do with our general reluctance regarding actions that do not have an immediate gain.
When it comes to the subject of security, one has to remember the big picture of "protecting information" and the costs it implies when we don't manage to do that properly. Security vulnerabilities are among the most expensive issues that you would have to solve, although not all of them are solvable, and the preventive measures can be challenging to accommodate into our day to day work.
That's why it needs to be an organic process, continually supported by genuine feedback, and that can only happen with increased awareness regarding the importance of integrating this in our daily tasks.
When integrating security policies in a company, the CIA (Confidentiality, Integrity, Availability) triad is a useful acronym to keep in mind for assessing your progress from a higher perspective:
· Confidentiality: make sure that the unwanted people do not have access to the data
· Integrity: make sure that the protective measures applied on the data do not affect the data itself
· Availability: make sure that the wanted people still have access to the data required
From a security testing perspective, the most important aspect would be "Availability" of information. Because if when you're creating protective measures for something you end up getting rid of its usefulness, then the whole process becomes redundant and you've just hit a dead end.