Oct 07 2021

Divide Between Security, Developers Deepens

Category: App SecurityDISC @ 9:16 am
Divide Between Security, Developers Deepens

Security professionals work hard to plan secure IT environments for organizations, but the developers who are tasked with implementing and carrying these plans and procedures are often left out of security planning processes, creating a fractured relationship between development and security.

This was the conclusion from a VMware and Forrester study of 1,475 IT and security managers, including CIOs and CISOs and managers with responsibility for security strategy and decision-making.

The report found security is still perceived as a barrier in organizations, with 52% of developer respondents saying they believed that security policies are stifling their ability to drive innovation.

Only one in five (22%) developers surveyed said they strongly agree that they understand which security policies they are expected to comply with and more than a quarter (27%) of the developers surveyed are not involved at all in security policy decisions, despite many of these decisions greatly impacting their roles.

The research indicated that security needs a perception shift and should be more deeply embedded across people, processes and technologies.

This means involving developers in security planning earlier and more often; learning to speak the language of the development team rather than asking development to speak security, sharing KPIs and increasing communication to improve relationships and automating security to improve scalability, the report recommended.

Set a Clear Scope for Security Requirements

“Regardless of whether if it’s customer-facing functionality or a business logic concern, every line of code developed should prioritize security as a design feature,” he said. “Once security is taken as seriously as other drivers for DevOps adoption, then a fully holistic integration can be achieved.”

#DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement

Tags: DevSecOps, Software developer

Apr 21 2010

Raid said to have hacked Google password system

Category: CybercrimeDISC @ 3:30 pm

Google Appliance as shown at RSA Expo 2008 in ...
Image via Wikipedia

John Markoff, New York Times

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret.


But a source with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s services, including e-mail.


The program, code-named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days in December, the source said. The software is intended to enable users to sign in with their password just once to operate a range of services.


The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making changes to the security of its networks after the intrusions. But the theft leaves open the possibility that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.


The new details seem likely to increase the debate about the security and privacy of systems that now centralize the personal information of millions of individuals and businesses.


Link to ‘poisoned’ site


The theft began with a single instant message sent to a Google employee in China, according to the person with knowledge of the inquiry, who spoke on the condition he not be identified. By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View.


Ultimately, the intruders were able to gain control of a software repository used by that team.


Tightening security


The details surrounding the theft of the software have been a closely guarded secret by the company. Google first publicly disclosed the theft in a Jan. 12 posting, which stated that the company was changing its policy toward China in the wake of the theft of unidentified “intellectual property” and the apparent compromise of the e-mail accounts of two human rights activists.


Company executives declined to comment Monday about the new details of the case.


Google continues to use the Gaia password system, now known as Single Sign-On, but has tightened the security of its data centers.


Several technical experts said that because Google had quickly learned of the theft of the software, it is unclear what the consequences of the theft have been. One of the most alarming possibilities is that the attackers might have intended to insert a Trojan Horse – a secret backdoor – into Gaia and install it in dozens of Google’s global data centers to establish clandestine entry points.


This article appeared on page D — 1 of the San Francisco Chronicle on Apr 20, 2010

Cyber War: The Next Threat to National Security and What to Do About It




Tags: china, Gaia, Google, Human rights, Personal computer, Software developer, Trojan horse, Website