Back in November, I had the privilege of being asked to speak to some students in the Information Systems and Computer Science tracks at Virginia International University (VIU). It was a great experience for me to be able to share some ideas with a group of up-and-coming talent in the IT field, but it took a little bit of thinking to figure out the best way to cover "security" with a group as wide-ranging as the one I was meeting. When I started the talk I asked how many students were planning to go into the security field, and only 1 out of the roughly 35 attendees raised their hand. Considering that, I think I had a pretty good presentation prepared for them.Essentially, my presentation was intended to cover 3 fairly high profile "security issues," and to show how the security pieces that failed were probably things that they would have to deal with in their IT careers even though they did not intend to go into security roles. Review the slides, but I did try to ask a lot of questions and foster a discussion- that is not captured in the slides so I'm including some of those notes below.Relating to the first scenario I noted that:
- Personnel security potentially failed;
- Patch management definitely failed; and
- There had to be a lack of monitoring capability.
Relating to the second scenario I noted that:
- The failure here is almost singularly one of management- priorities were diverted elsewhere and key controls that should have been in place were not;
- Configuration management for the developers was not in place mainly as a side-effect of the issue above; and
- If the person behind this did not steal everything, then they're grossly incompetent as a manager of a business and IT systems.
Relating to the third scenario I noted that:
- All of us in the room and especially a lot of big companies failed (lack of contributions/support, no investment of time by the community);
- "With many eyes all bugs are shallow" is a bunch of lip-service if there aren't actually many eyes; and
- If you're planning to go into a purely development role in your career, it's helpful to learn good secure coding practice and to look for support for secure development from the team you work with (IOW, embrace code audits as a way to improve instead of avoiding them as a roadblock to feature releases- and it's on us, the security folks to make them hold value).
In any case, I hope you enjoy this. Maybe it provides a decent basis for your conversations/interactions with those in the IT field.