So, to help us get into the right frame of mind, and to stop dwelling on how dumb we all are, lets consider a couple simple but positive steps we can takestarting right nowto prevent the same problems from cropping up time after time.
1.) Study and learn.
Do you give your techies and software developers the time to learn security lessons? Training is a good starting point, but it has to go beyond that. They also have to learn. (Its the difference between transmitting and receiving.)
If you work with web technologies, start by getting them each a copy of OWASPs free WebGoat and WebScarab tools, and have every one of them work through every single exercise in WebGoat. In the training I do, Ive found no more effective learning tool than this excellent piece of free software from OWASP. Do it. No excuses.
2. Use checklists.
Heres the son of a pilot part of me showing up, I suppose, but checklists are vital. For all the repeated, mundane tasks you doperhaps producing USB sticks for conference attendees, or putting together software youre selling to your customerscome up with a simple checklist and follow it.
Make sure youre following a 2-person rule in following the checklist: one person checks and the other person verifies and marks each step completed.
Sounds tedious, doesnt it? Well, I can assure you infecting your customersor conference attendeeswith malware or some other nasty is anything but tedious, at least for the first 24 or 48 hours. After that, it might become tedious when your customers go to your competitors.
So, if its excitement you crave, dont bother with checklists. Dont bother learning from history. None of this stuff is for you. It is mundane. It can be downright boring.
But next time youre reading about your company and your former customers on CNN, perhaps youll start to yearn for the tedium. At the very least, Im willing to bet your customers will prefer it.