Well, we have a long list of excuses. We are too busy, the product does not have enough budget, or the project margins are too small to justify significant engineering effort. As IoT devices become more prevalent in our homes and start to migrate into industry (as the new buzzword industrial Internet-of-Things seems to indicate they will), this approach will become less and less supportable. The odds of a significant lawsuit involving a compromised cloud camera trained on a driveway is much lower than that for a similar camera used to monitor water levels in a water treatment plant. Of course, we don’t need to wait for such a lawsuit to force us to start securing systems — we can just do things the right way instead.
Like most things, the majority of cybersecurity work is not glamorous — it’s just good hygiene. And today’s engineers need to be taught what this means. Most engineers are going to focus on ensuring a project is functionally complete and evaluate progress on how quickly and how well they can deliver that functionality. But good cybersecurity is related and doesn’t take that much extra focus. Students need to learn how to review code; what library calls aren’t safe; how to monitor a product’s technical basis once it’s delivered to ensure that it remains secure; and how important it is to be able to update products when things go wrong. They need to know where to look to find information on the security status of libraries or systems they might use, and what that information means when they find it. They need to understand system and application hardening and secure programming practices. And much of this information is available today — students just need to learn that they need to look for it and use it.
from DZone.com Feed https://ift.tt/2E4eprr
No comments:
Post a Comment