GraVoc’s information security team spent their Saturday morning at OWASP’s Boston Application Security Conference BASC in Cambridge. Kicked off by the keynote speech by Josh Corman, the conference featured technical and non-technical viewpoints surrounding the state of the information security industry today, particularly regarding the inadequacy of information security efforts worldwide.  The “OWASP Top Ten” security vulnerabilities, according to Corman, should be narrowed to an “OWASP Top One,” with priority being placed toward the elimination of the SQL injection vulnerability.

Other takeaways from the conference:

  • Information security focus is misguided, and therefore the information security industry has done a poor job.  Right now, the information people are trying to protect is extremely replaceable.  While it may take between 33 and 200 hours of work to restore one’s identity (depending on which source you believe), credit card numbers are being protected with a more watchful eye than companies’ intellectual property or the safety and well-being of people.
  • Security should be part of the system development lifecycle instead of an afterthought.  The software fix cost curve is well-documented by now, but Saturday’s conference continued to cite the fact that it is better and less costly to detect a problem early rather than late in developing software.
  • There is a big difference between compliant and secure.  Compliance standards, while they have improved the security controls of the worst organizations, have eroded the security controls of the best organizations.  Many businesses see security as a “check box,” where achieving the bare minimum and complying with a tangible (and mediocre) standard takes precedence over security excellence.  Unfortunately, the baseline established by information security compliance standards and “best practices” is marginally better than doing nothing at all.
  • The growing dependence on technology is outpacing people’s ability to secure these technologies.  If data integrity and availability were somehow compromised by the exploitation of a security vulnerability, results could be chaotic.  People are moving to the cloud, virtual environments, and mobile devices before learning how to secure them.
  • A startling, but not surprising statistic:  Of the $3.6 trillion spent on IT in a recent year, $60 billion (1.6%) was spent on IT security.  Of that $60 billion, only 3% was spent on end-user security training.  That means that 0.05% of all IT spending is devoted to arguably the most vulnerable part of many IT systems: the end-users.