Monday, June 25, 2012

Application Owner vs Information Security fun#2 - on Web Application Firewall

I presume most of us as a security pro have heard of Web Application Firewall (WAF). It is not a new technology, but only few enterprises have seen the benefit and have the technology implemented within their infrastructure. I hope this story could shed more light on the benefit of having one and assist you in expediting your decision making process in getting a WAF :)

Information Security lad:  During our security review, we noticed that you have decided not to include WAF as an additional protection layer for your web application. Although it is not a mandatory policy in our company, we strongly suggest to have your web application protected by WAF, as your web application is internet facing and will be handling important e-commerce transactions. Moreover, as you are offering 99.99% availability to your customer, you may want to have extra layer of protection to support this commitment. New attacks could be easily mitigated by the WAF as its signatures are updated on daily basis. I do know that our IT Supplier has a very good WAF team there.

Application Owner dude: Thank you for your suggestion... I don't see the need of it right now. We already have multiple layer of protections in place. We have firewall and Intrusion Prevention System (IPS) in front of the web application. Furthermore, we have done security assessment and pen-test during our application development cycle and we have got a clean bill of health there. I believe your team did some security tests as well and found no weaknesses. The application is just robust.... Anyway, I don't really have extra budget....

Information Security lad: Well... if you insist and understand the risk, we won't stand in your way. We will approve this RFC.

5 months later.....

Thursday, June 21, 2012

The Facts of Information Security

Information Security is a Top-down approach;
Information Security needs support of Senior Management e.g. Board level;
Information Security is a responsibility of every employee;
Information Security is about People, Process and Technology;
Information Security's weakest link often is the People;
Information Security is not an IT issue, it's a business issue;
Information Security costs money, so does police, military and alike;
Information Security team is not your enemy, it is your business partner.

 Feel free to add more :)

Ain't security fun? ;)  
acknowledgement - photo taken from 

Wednesday, June 6, 2012

Business Owner vs Business IT vs IT Supplier - disaster recovery fun#2

Few weeks ago, I shared a story about the impact of not having Disaster Recovery. And I mentioned that there will be a sequel to it. So, here it goes.... the saga shall continue....

Business Owner guy: <* Addressing VIP business users *> It is very unfortunate that we were badly hit by the quake. As it was an act of God, we have to accept the loses etc etc.... . Nevertheless, we have come out with a great disaster recovery plan to ensure business continuity in the event of disaster. This time, we WILL be ready to face it!

Information Security lad: <* This guy is surely a great politician.... I wonder how he saved his ass, survived and resurrected from that gigantic mess... Last I heard, he even got a promotion*>  

5 months later......

Business Owner guy: <* shouting over the phone *> What's happening? Why can't my customer access the application?