« How Programs Can Behave Unexpectedly from Cenzic's SANs Contest Winner! | Main | How Web Application Security and Guns are Common »

August 28, 2007

Both insurance and prevention!

One of the hardest things about security is getting people to understand and to implement it. This can be small simple things or something more advanced. For example, most of us realize that having a complex password is a good thing but what about changing that password on a regular basis. Work probably forces you to change it quarterly but when is the last time you changed your Amazon password? Or the password for your banking account?

Deciding what kind of security system is needed is part of this process. Some things such as a network firewall or SMTP gateway are easy decisions. They are de facto needs (firewalls) or an obvious problem (blocking spam via a SMTP gateway). Deciding to protect against something that hasn't happened to you yet (your Web site being hacked as an example) takes a more forward thinker. How much does having an automated Web application security solution really help? Are you wasting resources and time testing for something that might never affect you? Or will you be glad to have it?

If you think about it, security is an insurance policy. It's something that you spend effort deploying and implementing in order to protect yourself. When you don't need it, you feel like the time and money was wasted. At the same time though, when it is needed, you are eternally grateful.

Yet at the same time security is a preventative tool. If you regularly lock your car, then nothing is stolen (or at least not as often). If you've fixed all the holes in your Web applications, then there is no opening for the hackers to get in. So while security might seem tedious and at times an overkill, it is still better than cleaning up the mess of lost or stolen data afterwards.

- Mike Kazmierczak, Cenzic, Inc.

 

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/2263662/21146829

Listed below are links to weblogs that reference Both insurance and prevention!:

Comments

Think this is a good time to buttress this article by pointing to a good example of how much it can cost not implementing security up front. I think the TJX data loss fiasco is now estimated at costing them around US $150 million. Security is a matter of assessing risk, doing a cost vs benefit analysis and then implementing what you need. You dont need to spend a million dollars on IT security if you assess that a loss will only happen every 2 years and cost you $5000 in cleanup. But you still need to do that up front assessment and implement security up front. Else you could be up S#^t& creek without a paddle really quickly!

Post a comment

If you have a TypeKey or TypePad account, please Sign In

Secure Web Links