Your company has value. It has customers. It has reputation. It has money.
All these are of interest to criminals: whether a lone hacker, a sophisticated organisation, or perhaps a disgruntled, debt-ridden or blackmailed employee.
So I ask you: Is your software secure? What is the risk of a breach? Are your children safe?
If you don't know the answer to these questions, then you are a hack waiting to happen. It's like a life insurance policy. You don't have to have one, but can you afford the consequences of not having one?
You need to think about security, and this applies equally to externally facing systems as to internal ones.
I would like to suggest that every single application or service you write needs a threat model. This is a very simple OWASP tool for assessing components in terms of STRIDE threats (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).
I would furthermore like to suggest that every threat you find needs an associated set of tests to be written.
You do have security tests, right? Right?
Essential further reading: OWASP.
Top comments (0)