I thought I would get my predictions for 2014 down quick. This is not at all in jest or the result of a jaded security week. Super serious on these.
1. Credential Management will still be a problem: Many large enterprises that you would expect to have a process for managing privileged accounts will still have this problem at the end of 2014. Forget about the small orgs. I'll save that for 2016. Approval for access to information? That's tracked? For **all* apps including those outside AD? Check me next year.
2. Application Security detailed questions will still receive the response of "we absolutely practice application security, every new project goes through extensive review to determine what the end user account can do"
3. Response to malware incidents will result in "Vendor X said to buy this and it is everything I need, we can't get the business to sign off on disabling USBs or removing Admin privs"
4. Questions regarding the approach to moving to the cloud will result in "well, it's <Insert Huge Vendor Name> so I am sure they encrypt my data at rest and use security monitoring on my services" nevermind the ToS and Services say *nothing* about this
5. We will all continue to have problems hiring good security people. Many of us will fail to build new security people. Recruiters will continue to use crappy methods / approaches for getting our interest.
So, I promise at the end of 2014 that I will have tried to help improve each of the above by at least 1 (e.g. one more org has adoped a comprehensive AppSec Program.) Lord help me if that is all I do next year.
No comments:
Post a Comment