Friday, November 11, 2011

Vulnerability Research

Recently one of our clients is going through a major transition of implementing new systems with few other vendors, actually a chaos of new systems interacting with each other. The implementation has been rushed and  though the system functions as they are supposed to as stand alone out of the box solutions without fulfilling much of the business's initiatives. There are some major vulnerabilities within the system architecture, the implementation has been driven by lack of understanding of the domain and the business logic that drives it.

I spent less time reading about vulnerability research and QA control mechanisms, but the current implementation  at XYZ corp. has spiked my interest back in this area. The vulnerabilities market for security experts is not as lucrative as it used to be but I suspect this will have its own economic shift cycles as information and services of organizations move more into the cloud and SAAS based environments.

Currently there remains a lack of information awareness and a gap (along with a huge divide) among the IT professionals within small and medium scaled organizations (non-profit & for-profit). And more importantly vulnerability research being a part of the CIO's responsibilities and policy making functions; my recommendation here is that information technology directors and CIO actively create policies and conduct periodic penetration and vulnerability testing on all their IT infrastructure systems internal and the ones that they stick in the cloud or out-source, these include but not limited to sql injection tests, malware checking and reporting, social engineering hacks, reverse-engineering of services and products, mobile management of BYOD as wells company supplied and routine network testings.

Create policies that aim  for zero-day vulnerabilities in such a way that annually (or every two years) an IT auditing firm's view point is gathered and incorporated in the discussions of strategic planning with senior management.

Thoughts,

Sam Kurien

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.