Category Archives: Stupid Security

If I had a Dollar (part 2) – penetration testing and security myths from Steve Darrall, Securus Global Practice Manager

September 12, 2012

After a too long hiatus, our popular list of things that we see go wrong on a regular basis is back. As I’m sat here writing this, I’ve obviously not had a dollar for every time that I’ve heard the following. I can only hope…

“An attacker wouldn’t know that”. Attackers are sneaky people. They generally know more than you think, and unfortunately for those defending against them they have time on their side. With enough effort and desire to compromise something, an attacker will know what they need to.

“We don’t store unencrypted credit card data anywhere”. This one always makes us raise our eyebrows. If we had a dollar for every time somebody said this alone we would retire to our private island somewhere nice and warm and spend the rest of our days sipping mojitos and smoking Cuban cigars.

“We have a web application firewall, we’re safe”. Good security practice is all about defence in depth and implemented smart. No security product or appliance is a magical silver bullet that will make your problems go away. A wise man once said that rather than buying a single security appliance, people would be better off buying a Ferrari as a company pool car – TCO would be similar to an enterprise grade appliance over a 2-3 year period and there would probably be a better return to the company. (Happier security staff!).

Continue reading

If I had a Dollar – penetration testing and security myths from Steve Darrall, Securus Global Practice Manager

May 22, 2012

If I had a dollar…..part 1 of (well, who knows?)

This post will be the first in a series from Securus Global where we dispel a few information security myths that we hear on an all too regular basis to the point that if we were paid every time we heard them we’d be sunning ourselves on a quiet pacific island. :-)

No doubt, you’ve heard most of these yourselves and may wonder if you’re alone. You’re not.

So without further ado, here’s our first installment…

Once security testing is complete, we’ll put it into production”. This isn’t the best of project management approaches to take from our experience. Any project should allow time for remediation and retesting activities to take place. Security testing shouldn’t be seen as a tick in the box on your project schedule. Continue reading