Observations from VZDBIR 2010

VZDBIR Interesting Graphs

I spent some time today reading the VZDBIR report as many of us did and decided to collate a few interesting graphs from this report. Reports like this are a great way to understand and put some weight behind the argument to the business on actual threats and eventual loss to the business (record %). When collated, the findings provide an interesting view into these threats (whether it be advanced and/or persistent) and what we are dealing with in the security community.


Questions that came to mind following the review 
- How can the compliance world take such findings on board and improve the standards? 
- How can the regulations/requirements improve to put appropriate weight on critical areas in security instead of an across the board 'old school' playing field? 
- Is what is required for compliance enough to protect the business against these threats? (On a second thought, this question isn't worth answering ;))


Certainly, the report shows an ever changing threat landscape. I believe compliance can gain some weight in the security and business world by understanding and incorporating such reports into their standards and requirements.


It is not just in compliance (although it is one of the biggest headaches in the business), but also in Security management that these observations can help teams redesign and re-evaluate their security strategies and invest wisely to address the 'real' threats and improve their ROI.


Thoughts?

Testing and QA Challenges

How much of Testing and QA is enough?

This is a question many executives, senior management, IT managers et. al would be asking themselves.

With the recent failures at Apple and Toyota in this phase of development and/or production, the executives must have surely revisited this and have had discussions on where things can be improved to avoid such mistakes going forward.

Running a successful business is a challenging task. The management always works towards striking the right balance to deliver a product that satisfies the customer demand, ensure that the product is safe and secure and also, that it delivers what is promised. In doing so, the team must ensure right profit margins are maintained to ensure successful running and growth of the business. With increased competition in the market and reduced product shelf life, businesses are facing another challenge - Time to Market (TTM).

I was involved with a public sector organization that faced a vaguely related challenge. This organization managed a big website that went through six week release cycles with new ‘products’ introduced to keep it competitive. With these frequent changes, came struggles to ensure safety and security of the visitors along with delivering the product(s) as promised. Obviously, with short release cycles came shorter Testing and QA windows. Eventually, in such an environment Testing and QA tends to gravitate towards being a checklist than what it is really intended to achieve.

Of course, with the shorter TTM and short Testing/QA durations, there are cost constraints to ensure the business is still viable. Surely, this is an important question - how much of it is enough? With no simple answers, I believe (and you can add to this) the bare minimum that an organisation can do is:

• Effective communications between teams


• Plan well and revise those plans as necessary


• Use skilled staff for Testing and QA (don’t get diverted by an incident!)


• Retest after remediation (this is often missed!)

Certainly, hardware tests should undergo more rigorous and prolonged testing cycles than software products. It is always smart to blame it on software! All one needs is a much awaited 'update'. No product recalls! I bet the next gen Toyota will come with a network port :) Until then, Apple will try and fiddle with the on-screen graphics and ‘set a higher bar’ ;)