SlideShare uma empresa Scribd logo

IT Security - TestArmy

Transferir como PPTX, PDF
TestArmy
TestArmy

The weakest link in ensuring security. An Interview with Dawid Balut, Cyber Security Director in TestArmy.

Software
1 de 26
IT Securityfor your company The weakest link in ensuring security. An Interview with Dawid Balut, Cyber Security Director in TestArmy Dawid Balut, TestArmy Cyber Security Director’s column
www.testarmy.comwww.testarmy.com Dawid Bałut Cyber Security Director at TestArmy An experienced pentester and Bug Hunter who joined the defensive side of the force and for over half a decade worked as a Security Architect for several Silicon Valley corporations. Nowadays, he builds security systems, trains employees and automates all security processes.
www.testarmy.com Who inside a company is really responsible for security? What are the challenges facing the security industry and which companies need testing? What does the testing process look like and how is it carried out? The following interview is answered by Dawid Bałut - our Cyber Security Director. www.testarmy.com
www.testarmy.com You have extensive experience in applications security. Tell me what have you been doing so far and what will you do in TestArmy. In my career, I have worked as a network operator, programmer, sysadmin, bug hunter, pentester, security engineer and on managerial positions. For the last 5 years, I’ve been cooperating with an American firm in the security sector that generates tens of millions of dollars every year. As a security architect, I was responsible for building security systems from top to bottom, focusing on process optimization and creating an ecosystem that will make new mistakes less common. In the meantime, I helped other companies and security professionals secure their firms from the inside, by implementing DevSecOps and increasing ROI from penetration tests and Bug Bounty programs. www.testarmy.com
www.testarmy.com At TestArmy, we want to help companies get a greater return on their investment in security. The most important element was building an elite team of pentesters, with the best group of experts I have met in my corporate life. We know that there are specialists for whom safety is more than just a job, and who takes pride in the quality of services they provide to customers. That’s why we want to create an ideal working environment for them and work together on something that is deeply important to us. www.testarmy.com
www.testarmy.com The second element that is very important for me is the increased investments in education on the subject of security as well as code, applications and entire IT systems. As a programmer and someone who has spent the last half decade securing the software engineering process, I know that in addition to knowledge, programmers need useful tools and resources. www.testarmy.com
www.testarmy.com It’s good that you raised the Bug Bounty topic. You were one of the first pentesters reporting errors in the applications of companies like Amazon, Apple, Ebay and Facebook. Even tech giants have a security problem with their own applications? Of course. In my career, I did not meet with any company that did not have a security vulnerability. Big players usually have problems related to their scale. Corporations such as Facebook or Google produce so much code and so many new applications that they are not able to secure it with their own hands – which among other things, is the main reason for launching Bug Bounty programs, in which they pay millions of dollars annually to independent security researchers. Google acquires dozens of smaller companies and their associated products every year. www.testarmy.com
www.testarmy.com While with the appropriate processes it is possible to secure a newly produced code inside the company, a very large amount of work is needed to test products inherited from the takeover of a company from top to bottom. Big and small companies have many similar problems, but quite a few separate them. For example, small businesses often can’t afford the security- savvy developers, while large companies bring in so many new employees each week that they do not always manage to train each employee sufficiently. www.testarmy.com
www.testarmy.com What challenges do you see facing the cybersecurity industry? The growing number of codes, emerging new technologies and increasing liquidity in delivering new versions of applications to the client brings with it the need to change our security management approach. I am a huge supporter of the use of Agile and DevOps in the production of software, but many companies forget that “new” methodologies carry new threats. Currently, in many companies, the software is automated for many processes related to code quality testing. However, a very small number of companies have similar automation for security processes, which means that customers often end up with new security features that are not tested at all. www.testarmy.com
www.testarmy.com An ideal example is the Internet of Things market, where the vast majority of products are completely unsecured. The Internet of Things is growing at an incredible pace and we need to contribute more to securing this sector. If we do not, we will bring danger to users who will not know that hackers can remotely peep into their child’s bedroom through the webcam in a baby monitor, or remotely switch the oven on full power when away from home. www.testarmy.com
www.testarmy.com What can a company requesting tests expect? How do they look? The process itself looks like this: a client asks us for pentests and then we work with them to understand if they really need a pentest. We want our customers to understand what service they are requesting and suggest the proper solution which will yield the largest return for the customer. When this is agreed, we send the client a questionnaire to understand their technological stack, collect the system’s data and potentially access the data. We bring the client through the process so that they know what to expect during our tests. www.testarmy.com
www.testarmy.com We agree on the date on which the test is to be carried out, and we collect a team of the most competent pentesters in the technologies used by the client. Then we run tests documenting discovered vulnerabilities and create a final report. Such a report contains everything from the summary for the board as well as detailed information for programmers. Thanks to this, the management knows what situation their company is in and where they should increase their investments, and the developers know exactly how to reproduce the error and repair it by following our guidelines. www.testarmy.com
www.testarmy.com Will you always find any mistakes? he ego of many pentesters orders us to answer “of course”, but I will answer honestly – not necessarily. Whether or not mistakes are made depends on many factors. In addition, how much time will be spent on testing the system and how complicated the application is, a lot depends on the quality of the testers who performed the tests before us. www.testarmy.com
www.testarmy.com In working for various software companies, I carried out hundreds of penetration tests and it often happened that when we hired external companies, to test the application previously tested by my team, they came back empty-handed. I have also encountered situations where external pentests detected important vulnerabilities that were not found by another pentest company a week earlier. In the vast majority of cases, “something” will be found, while the chance of finding a serious error decreases in proportion to how good the security processes the company has and how many times it has used professional pentesters services in the past. After all, such situations can be counted on one hand and in most pentest scenarios there are serious errors. www.testarmy.com
www.testarmy.com What is usually the weakest point in security and why is it usually human? Because it is the man who is responsible for the quality of the code, product or security of the infrastructure and applications used internally by other employees. But when I mention humans as a weak point, I very rarely mean a developer. When I talk about the person responsible for quality, I mean company management. These groups decide how much to invest in security. www.testarmy.com
www.testarmy.com Because it is the man who is responsible for the quality of the code, product or security of the infrastructure and applications used internally by other employees. But when I mention humans as a weak point, I very rarely mean a developer. When I talk about the person responsible for quality, I mean company management. These groups decide how much to invest in security. www.testarmy.com
www.testarmy.com Are tests only valid for large companies? Sometimes on the contrary. Large companies often have great programmers who know how to write secure code, have solid software quality assurance processes, and often an internal security team. In my experience, smaller companies have more holes because they cannot afford qualified specialists. And even if they have such specialists on board, they prefer to devote their time to producing something that brings a return instead of testing security. Also, the level of security awareness in smaller companies is much lower, which means they do not realize what may happen if they ignore the need to invest in security processes. www.testarmy.com
www.testarmy.com What do social engineering tests look like? Ha, the purpose of social engineering tests is to make them not look like social engineering tests! Social engineering tests rely on the use of our emotions and abuse of our human weaknesses in order to gain access to restricted resources. Social engineering tests are unfortunately still the black sheep in the world of security. While the majority of people have heard about technical penetration tests, there are few companies that carry out social engineering tests. When the level of awareness of this type of threat is low among employees, the attacker who wants to break into the company does not have to invest hundreds of hours searching for vulnerabilities in the software. www.testarmy.com
www.testarmy.com All you have to do is call a kind accountant who is known for her openness and willingness to help, and persuade her to release confidential information or passwords, for example, posing as an IT worker who needs this information to improve its work. Who refuses an IT specialist who wants to improve your work for free? All you have to do is enter your password so that they can log into your computer and optimize it. www.testarmy.com
www.testarmy.com What do you think about the huge wave of popularity of Bug Bounty programs? Is it really worth investing in them? It’s worth it, but not everyone should. I will say that most companies should not invest in it because, in order to exploit the potential of Bug Bounty programs, the company and its current security processes must be very mature. www.testarmy.com
www.testarmy.com Bug Bounty programs involve encouraging external security researchers to test the company’s software and systems. If the researcher finds a mistake and reports it to the company in a responsible way, he will be paid for it. www.testarmy.com
www.testarmy.com The problem with Bug Bounty programs is that they are not cheap when it comes both to money and time, they are not completely safe, and do not solve long-term problems. Most companies should invest money in improving internal processes for secure software development; in monitoring and security systems; in solid penetration testing and only after several dozen successful iterations can they think about running the bug bounty program. Bug Bounties should be the icing on the cake and they are not a substitute for any other security initiative. www.testarmy.com
www.testarmy.com According to many reports, in 2019, there will be a shortage of around two million security specialists in the labor market. How can we get such a large number of employees and how can a company manage this deficit? I do not think that we have such a big problem with the lack of security specialists. I believe that companies simply cannot exploit the potential of people who are already on the market and panic instead of focusing on a practical approach to the problem. The answer to the problem is to increase investments in education, employing juniors and training them inside the company, identifying internal talents or loosening employment policy by offering remote work and flexible working hours. www.testarmy.com
www.testarmy.com Of course, there are many solutions and this problem is deeper, but there is no point in talking about bigger government initiatives since most companies do not do basic things like those mentioned above. Generally, good specialists are missing in all specialties of the IT industry. We have a huge amount of vacancies for programmers, sysadmins, but also for competent HR and management. The main difference is that without proper company security, burglaries may bankrupt and leak our data. Without programmers or HR, the company will simply grow slowly and this is its greatest risk. www.testarmy.com
www.testarmy.com TestArmy has been running a wide range of training for programmers, testers and UI designers for many years. Recently, we have added security testing workshops and will work on more educational materials, because each company should invest in the development of its employees. Thank you very much for these incredibly accurate questions. I plan to answer most of them in the form of longer articles on the TestArmy blog because these problems are so important that they deserve careful consideration. www.testarmy.com
www.testarmy.comwww.testarmy.com TestArmy Group S.A. contact@testarmy.com www.testarmy.com Contact:

Recomendados

Fundamentals of testing - Testing & Implementations
Fundamentals of testing - Testing & ImplementationsFundamentals of testing - Testing & Implementations
Fundamentals of testing - Testing & Implementationsyogi syafrialdi
 
Testing web security security of web sites and applications
Testing web security security of web sites and applicationsTesting web security security of web sites and applications
Testing web security security of web sites and applicationsHuong Muoi
 
ISTQB REX BLACK book
ISTQB REX BLACK bookISTQB REX BLACK book
ISTQB REX BLACK bookNaga Chiranjeevi Kota
 
Software system context endang
Software system context endangSoftware system context endang
Software system context endangendang setianingsih
 
Episode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSEpisode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSContrast Security
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
SOFTWARE SYSTEMS CONTEXT
SOFTWARE SYSTEMS CONTEXTSOFTWARE SYSTEMS CONTEXT
SOFTWARE SYSTEMS CONTEXTMeychiaGaiza
 
Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Cygilant
 

Recomendados

Fundamentals of testing - Testing & Implementations
Fundamentals of testing - Testing & ImplementationsFundamentals of testing - Testing & Implementations
Fundamentals of testing - Testing & Implementationsyogi syafrialdi
 
Testing web security security of web sites and applications
Testing web security security of web sites and applicationsTesting web security security of web sites and applications
Testing web security security of web sites and applicationsHuong Muoi
 
ISTQB REX BLACK book
ISTQB REX BLACK bookISTQB REX BLACK book
ISTQB REX BLACK bookNaga Chiranjeevi Kota
 
Software system context endang
Software system context endangSoftware system context endang
Software system context endangendang setianingsih
 
Episode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSEpisode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSContrast Security
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
SOFTWARE SYSTEMS CONTEXT
SOFTWARE SYSTEMS CONTEXTSOFTWARE SYSTEMS CONTEXT
SOFTWARE SYSTEMS CONTEXTMeychiaGaiza
 
Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Cygilant
 
IT security
IT securityIT security
IT securitySteven Aiello
 
Continuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormanContinuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormandaachi
 
Texto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesTexto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesMeztli Valeriano Orozco
 
fundamentals of testing (Fundamental of testing why)
fundamentals of testing (Fundamental of testing why)fundamentals of testing (Fundamental of testing why)
fundamentals of testing (Fundamental of testing why)diana fitri, S.Kom
 
Business continuity in the lean times
Business continuity in the lean timesBusiness continuity in the lean times
Business continuity in the lean timesSteven Aiello
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
safety supervision and leadership
safety supervision and leadershipsafety supervision and leadership
safety supervision and leadershipYAWAR HASSAN KHAN
 
Information security foundation based on iso iec 27002
Information security foundation based on iso iec 27002Information security foundation based on iso iec 27002
Information security foundation based on iso iec 27002Ajay Kumar Gupta
 
Fundamental of testing why
Fundamental of testing whyFundamental of testing why
Fundamental of testing whyCindyYuristie
 
Fundamentals of testing (what is testing necessary)
Fundamentals of testing (what is testing necessary)Fundamentals of testing (what is testing necessary)
Fundamentals of testing (what is testing necessary)helfa safitri
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDana Gardner
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial InstitutionsKhawar Nehal khawar.nehal@atrc.net.pk
 
10 web application security best practices for 2020
10 web application security best practices for 202010 web application security best practices for 2020
10 web application security best practices for 2020developeronrents
 
Cybersecurity Basics for Non-Techie Startup Founders
Cybersecurity Basics for Non-Techie Startup FoundersCybersecurity Basics for Non-Techie Startup Founders
Cybersecurity Basics for Non-Techie Startup FoundersKristian Melquiades
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
Cyber Security Magazine
Cyber Security MagazineCyber Security Magazine
Cyber Security MagazineQuentin Brown
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing GuideBadawy Abd El-Aziz
 
CMIT 321 EXECUTIVE PROPOSAL PROJECT
CMIT 321 EXECUTIVE PROPOSAL PROJECTCMIT 321 EXECUTIVE PROPOSAL PROJECT
CMIT 321 EXECUTIVE PROPOSAL PROJECTHamesKellor
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
 

Mais conteúdo relacionado

Mais procurados

Continuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormanContinuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormandaachi
 
fundamentals of testing (Fundamental of testing why)
fundamentals of testing (Fundamental of testing why)fundamentals of testing (Fundamental of testing why)
fundamentals of testing (Fundamental of testing why)diana fitri, S.Kom
 
Business continuity in the lean times
Business continuity in the lean timesBusiness continuity in the lean times
Business continuity in the lean timesSteven Aiello
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
safety supervision and leadership
safety supervision and leadershipsafety supervision and leadership
safety supervision and leadershipYAWAR HASSAN KHAN
 
Information security foundation based on iso iec 27002
Information security foundation based on iso iec 27002Information security foundation based on iso iec 27002
Information security foundation based on iso iec 27002Ajay Kumar Gupta
 
Fundamental of testing why
Fundamental of testing whyFundamental of testing why
Fundamental of testing whyCindyYuristie
 
Fundamentals of testing (what is testing necessary)
Fundamentals of testing (what is testing necessary)Fundamentals of testing (what is testing necessary)
Fundamentals of testing (what is testing necessary)helfa safitri
 

Mais procurados (10)

IT security
IT securityIT security
IT security
 
Continuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormanContinuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_corman
 
Texto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesTexto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de ingles
 
fundamentals of testing (Fundamental of testing why)
fundamentals of testing (Fundamental of testing why)fundamentals of testing (Fundamental of testing why)
fundamentals of testing (Fundamental of testing why)
 
Business continuity in the lean times
Business continuity in the lean timesBusiness continuity in the lean times
Business continuity in the lean times
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
 
safety supervision and leadership
safety supervision and leadershipsafety supervision and leadership
safety supervision and leadership
 
Information security foundation based on iso iec 27002
Information security foundation based on iso iec 27002Information security foundation based on iso iec 27002
Information security foundation based on iso iec 27002
 
Fundamental of testing why
Fundamental of testing whyFundamental of testing why
Fundamental of testing why
 
Fundamentals of testing (what is testing necessary)
Fundamentals of testing (what is testing necessary)Fundamentals of testing (what is testing necessary)
Fundamentals of testing (what is testing necessary)
 

Semelhante a IT Security - TestArmy

Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDana Gardner
 
10 web application security best practices for 2020
10 web application security best practices for 202010 web application security best practices for 2020
10 web application security best practices for 2020developeronrents
 
Cybersecurity Basics for Non-Techie Startup Founders
Cybersecurity Basics for Non-Techie Startup FoundersCybersecurity Basics for Non-Techie Startup Founders
Cybersecurity Basics for Non-Techie Startup FoundersKristian Melquiades
 
Cyber Security Magazine
Cyber Security MagazineCyber Security Magazine
Cyber Security MagazineQuentin Brown
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
CMIT 321 EXECUTIVE PROPOSAL PROJECT
CMIT 321 EXECUTIVE PROPOSAL PROJECTCMIT 321 EXECUTIVE PROPOSAL PROJECT
CMIT 321 EXECUTIVE PROPOSAL PROJECTHamesKellor
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Dana Gardner
 

Semelhante a IT Security - TestArmy (20)

Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in Heaven
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
10 web application security best practices for 2020
10 web application security best practices for 202010 web application security best practices for 2020
10 web application security best practices for 2020
 
Cybersecurity Basics for Non-Techie Startup Founders
Cybersecurity Basics for Non-Techie Startup FoundersCybersecurity Basics for Non-Techie Startup Founders
Cybersecurity Basics for Non-Techie Startup Founders
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
Cyber Security Magazine
Cyber Security MagazineCyber Security Magazine
Cyber Security Magazine
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
 
CMIT 321 EXECUTIVE PROPOSAL PROJECT
CMIT 321 EXECUTIVE PROPOSAL PROJECTCMIT 321 EXECUTIVE PROPOSAL PROJECT
CMIT 321 EXECUTIVE PROPOSAL PROJECT
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
network-host-reconciliation
network-host-reconciliationnetwork-host-reconciliation
network-host-reconciliation
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
 

Último

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburgmasabamasaba
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durbanmasabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 

Último (20)

Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

IT Security - TestArmy

  • 1. IT Securityfor your company The weakest link in ensuring security. An Interview with Dawid Balut, Cyber Security Director in TestArmy Dawid Balut, TestArmy Cyber Security Director’s column
  • 2. www.testarmy.comwww.testarmy.com Dawid Bałut Cyber Security Director at TestArmy An experienced pentester and Bug Hunter who joined the defensive side of the force and for over half a decade worked as a Security Architect for several Silicon Valley corporations. Nowadays, he builds security systems, trains employees and automates all security processes.
  • 3. www.testarmy.com Who inside a company is really responsible for security? What are the challenges facing the security industry and which companies need testing? What does the testing process look like and how is it carried out? The following interview is answered by Dawid Bałut - our Cyber Security Director. www.testarmy.com
  • 4. www.testarmy.com You have extensive experience in applications security. Tell me what have you been doing so far and what will you do in TestArmy. In my career, I have worked as a network operator, programmer, sysadmin, bug hunter, pentester, security engineer and on managerial positions. For the last 5 years, I’ve been cooperating with an American firm in the security sector that generates tens of millions of dollars every year. As a security architect, I was responsible for building security systems from top to bottom, focusing on process optimization and creating an ecosystem that will make new mistakes less common. In the meantime, I helped other companies and security professionals secure their firms from the inside, by implementing DevSecOps and increasing ROI from penetration tests and Bug Bounty programs. www.testarmy.com
  • 5. www.testarmy.com At TestArmy, we want to help companies get a greater return on their investment in security. The most important element was building an elite team of pentesters, with the best group of experts I have met in my corporate life. We know that there are specialists for whom safety is more than just a job, and who takes pride in the quality of services they provide to customers. That’s why we want to create an ideal working environment for them and work together on something that is deeply important to us. www.testarmy.com
  • 6. www.testarmy.com The second element that is very important for me is the increased investments in education on the subject of security as well as code, applications and entire IT systems. As a programmer and someone who has spent the last half decade securing the software engineering process, I know that in addition to knowledge, programmers need useful tools and resources. www.testarmy.com
  • 7. www.testarmy.com It’s good that you raised the Bug Bounty topic. You were one of the first pentesters reporting errors in the applications of companies like Amazon, Apple, Ebay and Facebook. Even tech giants have a security problem with their own applications? Of course. In my career, I did not meet with any company that did not have a security vulnerability. Big players usually have problems related to their scale. Corporations such as Facebook or Google produce so much code and so many new applications that they are not able to secure it with their own hands – which among other things, is the main reason for launching Bug Bounty programs, in which they pay millions of dollars annually to independent security researchers. Google acquires dozens of smaller companies and their associated products every year. www.testarmy.com
  • 8. www.testarmy.com While with the appropriate processes it is possible to secure a newly produced code inside the company, a very large amount of work is needed to test products inherited from the takeover of a company from top to bottom. Big and small companies have many similar problems, but quite a few separate them. For example, small businesses often can’t afford the security- savvy developers, while large companies bring in so many new employees each week that they do not always manage to train each employee sufficiently. www.testarmy.com
  • 9. www.testarmy.com What challenges do you see facing the cybersecurity industry? The growing number of codes, emerging new technologies and increasing liquidity in delivering new versions of applications to the client brings with it the need to change our security management approach. I am a huge supporter of the use of Agile and DevOps in the production of software, but many companies forget that “new” methodologies carry new threats. Currently, in many companies, the software is automated for many processes related to code quality testing. However, a very small number of companies have similar automation for security processes, which means that customers often end up with new security features that are not tested at all. www.testarmy.com
  • 10. www.testarmy.com An ideal example is the Internet of Things market, where the vast majority of products are completely unsecured. The Internet of Things is growing at an incredible pace and we need to contribute more to securing this sector. If we do not, we will bring danger to users who will not know that hackers can remotely peep into their child’s bedroom through the webcam in a baby monitor, or remotely switch the oven on full power when away from home. www.testarmy.com
  • 11. www.testarmy.com What can a company requesting tests expect? How do they look? The process itself looks like this: a client asks us for pentests and then we work with them to understand if they really need a pentest. We want our customers to understand what service they are requesting and suggest the proper solution which will yield the largest return for the customer. When this is agreed, we send the client a questionnaire to understand their technological stack, collect the system’s data and potentially access the data. We bring the client through the process so that they know what to expect during our tests. www.testarmy.com
  • 12. www.testarmy.com We agree on the date on which the test is to be carried out, and we collect a team of the most competent pentesters in the technologies used by the client. Then we run tests documenting discovered vulnerabilities and create a final report. Such a report contains everything from the summary for the board as well as detailed information for programmers. Thanks to this, the management knows what situation their company is in and where they should increase their investments, and the developers know exactly how to reproduce the error and repair it by following our guidelines. www.testarmy.com
  • 13. www.testarmy.com Will you always find any mistakes? he ego of many pentesters orders us to answer “of course”, but I will answer honestly – not necessarily. Whether or not mistakes are made depends on many factors. In addition, how much time will be spent on testing the system and how complicated the application is, a lot depends on the quality of the testers who performed the tests before us. www.testarmy.com
  • 14. www.testarmy.com In working for various software companies, I carried out hundreds of penetration tests and it often happened that when we hired external companies, to test the application previously tested by my team, they came back empty-handed. I have also encountered situations where external pentests detected important vulnerabilities that were not found by another pentest company a week earlier. In the vast majority of cases, “something” will be found, while the chance of finding a serious error decreases in proportion to how good the security processes the company has and how many times it has used professional pentesters services in the past. After all, such situations can be counted on one hand and in most pentest scenarios there are serious errors. www.testarmy.com
  • 15. www.testarmy.com What is usually the weakest point in security and why is it usually human? Because it is the man who is responsible for the quality of the code, product or security of the infrastructure and applications used internally by other employees. But when I mention humans as a weak point, I very rarely mean a developer. When I talk about the person responsible for quality, I mean company management. These groups decide how much to invest in security. www.testarmy.com
  • 16. www.testarmy.com Because it is the man who is responsible for the quality of the code, product or security of the infrastructure and applications used internally by other employees. But when I mention humans as a weak point, I very rarely mean a developer. When I talk about the person responsible for quality, I mean company management. These groups decide how much to invest in security. www.testarmy.com
  • 17. www.testarmy.com Are tests only valid for large companies? Sometimes on the contrary. Large companies often have great programmers who know how to write secure code, have solid software quality assurance processes, and often an internal security team. In my experience, smaller companies have more holes because they cannot afford qualified specialists. And even if they have such specialists on board, they prefer to devote their time to producing something that brings a return instead of testing security. Also, the level of security awareness in smaller companies is much lower, which means they do not realize what may happen if they ignore the need to invest in security processes. www.testarmy.com
  • 18. www.testarmy.com What do social engineering tests look like? Ha, the purpose of social engineering tests is to make them not look like social engineering tests! Social engineering tests rely on the use of our emotions and abuse of our human weaknesses in order to gain access to restricted resources. Social engineering tests are unfortunately still the black sheep in the world of security. While the majority of people have heard about technical penetration tests, there are few companies that carry out social engineering tests. When the level of awareness of this type of threat is low among employees, the attacker who wants to break into the company does not have to invest hundreds of hours searching for vulnerabilities in the software. www.testarmy.com
  • 19. www.testarmy.com All you have to do is call a kind accountant who is known for her openness and willingness to help, and persuade her to release confidential information or passwords, for example, posing as an IT worker who needs this information to improve its work. Who refuses an IT specialist who wants to improve your work for free? All you have to do is enter your password so that they can log into your computer and optimize it. www.testarmy.com
  • 20. www.testarmy.com What do you think about the huge wave of popularity of Bug Bounty programs? Is it really worth investing in them? It’s worth it, but not everyone should. I will say that most companies should not invest in it because, in order to exploit the potential of Bug Bounty programs, the company and its current security processes must be very mature. www.testarmy.com
  • 21. www.testarmy.com Bug Bounty programs involve encouraging external security researchers to test the company’s software and systems. If the researcher finds a mistake and reports it to the company in a responsible way, he will be paid for it. www.testarmy.com
  • 22. www.testarmy.com The problem with Bug Bounty programs is that they are not cheap when it comes both to money and time, they are not completely safe, and do not solve long-term problems. Most companies should invest money in improving internal processes for secure software development; in monitoring and security systems; in solid penetration testing and only after several dozen successful iterations can they think about running the bug bounty program. Bug Bounties should be the icing on the cake and they are not a substitute for any other security initiative. www.testarmy.com
  • 23. www.testarmy.com According to many reports, in 2019, there will be a shortage of around two million security specialists in the labor market. How can we get such a large number of employees and how can a company manage this deficit? I do not think that we have such a big problem with the lack of security specialists. I believe that companies simply cannot exploit the potential of people who are already on the market and panic instead of focusing on a practical approach to the problem. The answer to the problem is to increase investments in education, employing juniors and training them inside the company, identifying internal talents or loosening employment policy by offering remote work and flexible working hours. www.testarmy.com
  • 24. www.testarmy.com Of course, there are many solutions and this problem is deeper, but there is no point in talking about bigger government initiatives since most companies do not do basic things like those mentioned above. Generally, good specialists are missing in all specialties of the IT industry. We have a huge amount of vacancies for programmers, sysadmins, but also for competent HR and management. The main difference is that without proper company security, burglaries may bankrupt and leak our data. Without programmers or HR, the company will simply grow slowly and this is its greatest risk. www.testarmy.com
  • 25. www.testarmy.com TestArmy has been running a wide range of training for programmers, testers and UI designers for many years. Recently, we have added security testing workshops and will work on more educational materials, because each company should invest in the development of its employees. Thank you very much for these incredibly accurate questions. I plan to answer most of them in the form of longer articles on the TestArmy blog because these problems are so important that they deserve careful consideration. www.testarmy.com