
What do you learn from your security reviews?
Posted on 2020-07-16 by Matt Strahan in Business Security
The results of the security review come in and they’re…let’s just say “less than ideal”. Vulnerabilities that could be used to break in, steal data, and potentially get the organisation in the news. Better fix those right away!
So we assign the tasks in our ITSM system and get to work. We patch what needs patching, reconfigure what needs reconfiguring, disable what shouldn’t be there and then pat our back and call it a day. We’re now secure…right?
This is what a lot of organisations do, but you’ve only got half the story. Those vulnerabilities didn’t come from nowhere, they were the symptom of an underlying problem and if you don’t fix the problem then the same thing will happen over and over again.
In a previous blog post I spoke about the “5 whys” and pinning down root causes that pop up as vulnerabilities. One of those root causes that is bound to prop up again and again is training.
Developers are often not trained in secure coding. Administrators are often not trained in secure administration. And yet the security vulnerabilities that could be placed in the environment from those teams could cause huge consequences to the organisation.
What can you do with a penetration test to help training?