Skip to main content

Vulnerability Research

Recently one of our clients is going through a major transition of implementing new systems with few other vendors, actually a chaos of new systems interacting with each other. The implementation has been rushed and  though the system functions as they are supposed to as stand alone out of the box solutions without fulfilling much of the business's initiatives. There are some major vulnerabilities within the system architecture, the implementation has been driven by lack of understanding of the domain and the business logic that drives it.

I spent less time reading about vulnerability research and QA control mechanisms, but the current implementation  at XYZ corp. has spiked my interest back in this area. The vulnerabilities market for security experts is not as lucrative as it used to be but I suspect this will have its own economic shift cycles as information and services of organizations move more into the cloud and SAAS based environments.

Currently there remains a lack of information awareness and a gap (along with a huge divide) among the IT professionals within small and medium scaled organizations (non-profit & for-profit). And more importantly vulnerability research being a part of the CIO's responsibilities and policy making functions; my recommendation here is that information technology directors and CIO actively create policies and conduct periodic penetration and vulnerability testing on all their IT infrastructure systems internal and the ones that they stick in the cloud or out-source, these include but not limited to sql injection tests, malware checking and reporting, social engineering hacks, reverse-engineering of services and products, mobile management of BYOD as wells company supplied and routine network testings.

Create policies that aim  for zero-day vulnerabilities in such a way that annually (or every two years) an IT auditing firm's view point is gathered and incorporated in the discussions of strategic planning with senior management.

Thoughts,

Sam Kurien

Comments

Popular posts from this blog

IT as a Innovation Partner in Business

Usually in Business organizations and especially in organizations where R&D is a separate department itself a tension persists on keeping the IT department away from any decision when it comes to innovation or process improvement. In short the IT department is generally seen as less of a help and more of a hindrance to innovation efforts. One of the main reasons is traditionally information systems are designed to impose structure on process, achieve pre-defined goals, produce metrics and minimize need for human interaction (in some case over maximize human interaction leading to nothing but "meetings").

While Innovation activities are highly unstructured and emergent, IT cannot be ignored or kept in isolation because IT can help in visualization tools, data mining efforts, uncover hidden relationships between data and create tools of knowledge management/information repository that so desperately is needed cross functionally but especially by the innovators within a org…

Analysis of SAP’s Platform Strategy

The software industry has been through high and lows up with the constant advent of new technological innovations and rapid changes in the global economic landscapes. SAP is the leading enterprise application software giant started by Hasso Plattner. The rise of Enterprise application industries started in early eighty’s with organizations needing one single software program that was capable of serving the multiple needs and functions of various departments. One single enterprise-wide application software means integrating applications that fused together for the smooth exchange and extraction of information. For example when customer services sold a product and got stock updated in the inventory by the warehouse people and the same data could be pulled by the Finance department. Enterprise Application software’s were designed exactly to do the latter mentioned processes seamlessly. SAP started by break away engineer’s Plattner and group build the company on strong engineering fort…

How Dashboards can mislead

Read an interesting article from John Shapiro professor at Northwestern Kellog on how dashboards can mislead executives and I cannot agree more. To be honest, I love visualization of data and have pushed my data architects and report writers to give me snapshots of various measures but how often the rich data didn't mean anything as it did not align with organizational goals. Even more, what information is important to me is not necessarily relevant to other executives in the organization.  Data analytics visualized on dashboards typically describe existing measures on past phenomena, some better ones predict future events and past data and the best one prescribe a course of corrective or strategic actions.

Shapiro talks about three types of traps executives can fall for:

1. The Context Trap:  We equate empirical data to the objective. I have blatantly used the cliche "numbers don't lie." But this belief can be dangerous because we can track wrong measures or metrics…