Sasha Biskup, head of information security at Australia Post Digital Mailbox
Because most security flaws are introduced into enterprise applications during the development process, companies must take proactive steps to build internal security communities and run ‘bug bounty’ programs to convince sympathetic hackers to pick up on bugs before malicious hackers do, the head of security on Australia Post’s high-profile Digital Mailbox effort has advised.
Digital Mailbox represents the company’s effort to establish a beachhead in the digital world, to which its traditional letters business has rapidly lost out as Australians shifted their communications online over the past decade. It is designed as a secure, central repository for all sorts of crucial documents – which, in Australia Post’s thinking, extends not only to everyday documents like bills but to critical, personal documents such as passports and birth certificates.
Storing that kind of sensitive information naturally carries with it a significant burden of trust – and that’s why Sasha Biskup, head of information security at Australia Post Digital Mailbox, has been working on ways to ensure Digital Mailbox maintains the most effective security possible. At risk is the entire reputation of the organisation – which is threatened by the continual threat of hacking from unknown outside forces.
“You want to minimise the costs and damage to the reputation of the brand as much as possible,” he told attendees at this week’s Digital Information Management & Security 2013 conference in Canberra. “The reality is that everyone gets hacked. But not everyone needs to report it, and not everyone reports it, so not everyone knows that everyone gets hacked.”
Many security flaws come from oversights during the development process, Biskup says, noting the importance of an agile development and proactive bug-identification regime to ensure that they’re quickly sorted out.
“Most of the problems are related to software development,” he said. “The end result of Agile methodologies is much more productive and also manifests itself in better security, and better participation.”
Participation was particularly important for companies seeking to build an effective security culture, he continued: development managers should promote iterative remediation activities by encouraging developers and security specialists to engage within shared communities, which also involve business leaders and others. This includes the appointment of internal ‘security champions’ – philosophical leaders that will “foster your ideas, and foster their creativity and passion into security,” he explained. Such creativity and passion can be tapped through group-motivation activities such as internal hacking days, regular meetings, and the granting of increased responsibility around security practices.
“These type of people – the coders and developers – aren’t going to be responsible for signing off on applications put onto the Internet, but the core of what I’m saying is that you want to reduce cost,” Biskup said. “We want to fix things earlier – and one day to do this is to get other people to do the job with regular security checks.”
External hackers also have a role to play, Biskup added, noting the growing appeal of ‘Bug bounties’ – in which companies pay rewards to outside hackers who identify, but do not exploit or publish, flaws they find in online applications.
“Application security people cannot scale because they’re a specialist field,” he explained. “They cannot scale to a large software development product or business. What you have to do is to embrace the company and invite people into your organisation. This all goes back to a core philosophy: realising that you are going to get hacked – so why not try to beat them to it?”
While the engagement and empowerment of a range of like-minded security specialists can help ferret out bugs early on, even the most proactive approach to community-building needs effective security tools and methodologies.
The same people working to ensure system security can be tasked with developing modules for testing specific known weak spots as an application continues to grow. Some companies are building out their own testing modules and security tools as development processes continue, Biskup said, although he warned that static testing tools on their own still needed to be reviewed and complemented with human testing.
“Static testing will catch certain types of bug classes, but they can’t ever catch certain types of other classes,” he explained. “These companies are building very intelligent analytic engines in response to attacks. They’re building in their own type of smarts.”
Training – both technical training and awareness training – are also essential to ensure companies get and keep appropriately skilled staff.
Yet it is measurement tools, which not only provide a concrete gauge of improving security but can document the improving security profile of an application – that ultimately help security specialists quantify their successes and help make a case for CSO compensation based on career success.
“As a security professional who wants to get paid more each year, metrics are a way of getting CIOs and CEOs to understand that there’s an improvement model,” Biskup said. “We want to fix these faster and cheaper over time. Bugs coming down mean everyone becomes happy.”