October is National Cybersecurity Awareness Month. As demonstrated by the recent Equifax breach, where hackers obtained an estimated 143 million American consumers’ personally identifiable information, including Social Security numbers and driver’s license numbers, individuals and companies alike need to be more security conscious and better prepared to reduce cyber security risk.
Equifax and the Importance of Security Culture
In the case of Equifax security, the root cause of the breach was due to an Apache Struts server-side template injection vulnerability, which is described in a detailed technical analysis by Eric Rafallof from Gotham Digital Science. This is a vulnerability rated “critical” with a maximum 10.0 score, which was disclosed and fixed by Apache on March 6, 2017 with the release of Apache Struts version 2.3.32 or 220.127.116.11.
Organizations can prevent data breaches by performing software patches on a timely basis, and by coding applications securely from the start. A strong security culture can help ensure that developers embrace secure practices at the grassroots level, and do not simply adhere to internal policies enforced by risk management and internal audit after the fact.
Secure DevOps through Security Champions Programs
One successful model for spreading secure practices and developing a strong security culture across an organization is implementing a Security Champions Program. Gartner offers recommendations about how to design such a program and how DevOps security champions can help organizations gain leverage without a firm having to invest in training for everyone. Gartner recommends that security and risk management leaders should position an individual as a security expert within different development teams; there they act as a champion who conveys security priorities to colleagues.
No matter whether you are a small or large firm, Security Compass can help kickstart and develop your Security Champions program. We offer training for your champions, speaker forums from industry experts, program management, and help you demonstrate program success to support your business case.
OWASP Top 10 Vulnerabilities Training
We blend the best of Instructor-Led Training on OWASP Top 10 vulnerabilities in addition to role-based training in the form of Software Security Practitioner (SSP) Suites to help organizations spread secure practices at the grassroots level. Role-based learning allows developers only to learn what is relevant to their day-to-day job quickly and effectively. Security Compass is the sole provider of SSP Suites, which were developed in partnership with (ISC)², global information security education and certifications leader.
Some of Our Partners