Empower bug hunters and champions to boost security: Australia Post

Sasha Biskup, head of information security at Australia Post Digital Mailbox

Because most security flaws are introduced into enterprise applications during the development process, companies must take proactive steps to build internal security communities and run ‘bug bounty’ programs to convince sympathetic hackers to pick up on bugs before malicious hackers do, the head of security on Australia Post’s high-profile Digital Mailbox effort has advised.

Digital Mailbox represents the company’s effort to establish a beachhead in the digital world, to which its traditional letters business has rapidly lost out as Australians shifted their communications online over the past decade. It is designed as a secure, central repository for all sorts of crucial documents – which, in Australia Post’s thinking, extends not only to everyday documents like bills but to critical, personal documents such as passports and birth certificates.

Storing that kind of sensitive information naturally carries with it a significant burden of trust – and that’s why Sasha Biskup, head of information security at Australia Post Digital Mailbox, has been working on ways to ensure Digital Mailbox maintains the most effective security possible. At risk is the entire reputation of the organisation – which is threatened by the continual threat of hacking from unknown outside forces.

“You want to minimise the costs and damage to the reputation of the brand as much as possible,” he told attendees at this week’s Digital Information Management & Security 2013 conference in Canberra. “The reality is that everyone gets hacked. But not everyone needs to report it, and not everyone reports it, so not everyone knows that everyone gets hacked.”

Many security flaws come from oversights during the development process, Biskup says, noting the importance of an agile development and proactive bug-identification regime to ensure that they’re quickly sorted out.

“Most of the problems are related to software development,” he said. “The end result of Agile methodologies is much more productive and also manifests itself in better security, and better participation.”

Participation was particularly important for companies seeking to build an effective security culture, he continued: development managers should promote iterative remediation activities by encouraging developers and security specialists to engage within shared communities, which also involve business leaders and others. This includes the appointment of internal ‘security champions’ – philosophical leaders that will “foster your ideas, and foster their creativity and passion into security,” he explained. Such creativity and passion can be tapped through group-motivation activities such as internal hacking days, regular meetings, and the granting of increased responsibility around security practices.

“These type of people – the coders and developers – aren’t going to be responsible for signing off on applications put onto the Internet, but the core of what I’m saying is that you want to reduce cost,” Biskup said. “We want to fix things earlier – and one day to do this is to get other people to do the job with regular security checks.”

External hackers also have a role to play, Biskup added, noting the growing appeal of ‘Bug bounties’ – in which companies pay rewards to outside hackers who identify, but do not exploit or publish, flaws they find in online applications.

“Application security people cannot scale because they’re a specialist field,” he explained. “They cannot scale to a large software development product or business. What you have to do is to embrace the company and invite people into your organisation. This all goes back to a core philosophy: realising that you are going to get hacked – so why not try to beat them to it?”

While the engagement and empowerment of a range of like-minded security specialists can help ferret out bugs early on, even the most proactive approach to community-building needs effective security tools and methodologies.

The same people working to ensure system security can be tasked with developing modules for testing specific known weak spots as an application continues to grow. Some companies are building out their own testing modules and security tools as development processes continue, Biskup said, although he warned that static testing tools on their own still needed to be reviewed and complemented with human testing.

“Static testing will catch certain types of bug classes, but they can’t ever catch certain types of other classes,” he explained. “These companies are building very intelligent analytic engines in response to attacks. They’re building in their own type of smarts.”

Training – both technical training and awareness training – are also essential to ensure companies get and keep appropriately skilled staff.

Yet it is measurement tools, which not only provide a concrete gauge of improving security but can document the improving security profile of an application – that ultimately help security specialists quantify their successes and help make a case for CSO compensation based on career success.

“As a security professional who wants to get paid more each year, metrics are a way of getting CIOs and CEOs to understand that there’s an improvement model,” Biskup said. “We want to fix these faster and cheaper over time. Bugs coming down mean everyone becomes happy.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags australia postDigital Mailbox

More about AgileAustralia PostCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place