Information has inevitably become the most precious business asset in the modern digitalized world. Hackneyed equation “information security = business preservation” is too obvious to talk about, although…

Prerequisites to Make Infosec Work

For some business organizations, the security aspects of a software product still remain a mysterious black box. Here in Sigma Software, we are building a unique cybersecurity offering to serve as a bridge between businesses, software developers, and infosec experts. The aim of the offering is to help organizations be smart and efficient about their information security as well as ensure that information security policies and procedures are aligned to withstand current cyber-threats and keep up the security-conscious mindset.

The increased demand for information security services has been observed as a major trend since 2015, and 2017 was not an exception. Here are a few things that help satisfy the increasing demand:

Information Security Management System (ISMS) – a well-established and maintained for years system that contributes to the secure software development lifecycle and conducts through all procedures and practices, helping development teams to avoid vulnerabilities in their code;

Company`s expertise:

Business domain knowledge - we’ve been building and testing software professionally for over 15 years in a multitude of business domains, spanning from media and ad tech to automotive and aviation; Certified professionals - our engineers have numerous security certifications, including OSCP (Offensive Security Certified Professional) and more. Some of them are winners of professional pentest (penetration testing) lab contests and CTF events;

Skilled recruitment – in 2017 we have doubled the infosec team and plan to expand it further in 2018.

Consulting Service – to help business owners who understand the importance of Information Security, but don’t know where to start.

Compliance with General Data Protection Regulation

Consulting on information security has become even more popular in the context of GDPR (General Data Protection Regulation) that comes into effect on May 25, 2018. Our customers want to assure proper handling of the personal data of the EU citizens to avoid reputation and financial losses. It is worth being on the alert, because fines start from 20 m Euro.

Hint 1 : considering relatively low operational costs, GDPR compliance tag can potentially bring new business to your company; so you can view it as a smart investment.

Hint 2 : the most appropriate way to organize GDPR compliant processing of collected personal data is Information Security Management System developed according to ISO 27001.

What to Start With

Digital assets and sensitive data could be highly project specific. Desired security measures may significantly differ depending on the company data flows, type of data stored, and other factors. Our team usually starts with an in-depth research, information gathering, and identifying unique threat models. Based on the findings, we create a customized security testing backlog for each engagement.

However, there are some actions you can consider before the research is performed for your product or company. Here they are:

Employee Awareness Training

Some clients choose to invest in human capital education and raise security awareness of each team member by means of employee awareness training. For this purpose, we provide a robust training program for staff members. The training program is proven to enhance employees’ behavior related to cyber-security threats and social engineering.

Information Security Audits and Penetration Testing

Information Security Audits and Penetration Testing of numerous products help identify and fix critical vulnerabilities before solutions are released live or hit the marketplace. Security audit activities mostly prevent:

users’ personal data leakage (names, emails, hashed passwords, and password reset tokens);

flaws in handling transaction and financial information;

harvesting of login credentials;

source code exposure;

malicious code injections;

redirecting to malware spreading links;

complete control over application, secret keys, payment gateway credentials, etc.;

full database access.

Conclusion

To sum up, information security is not just for security freaks. Almost every company stores personal data or handles sensitive information that needs to be protected, and it should be done the sooner the better. Dedicating proper effort to information security aspects and collaborating with the right service partner significantly decreases the probability of unpleasant events that can range from application performance drops and user discomfort to immense fines, reputation losses, and total loss of control over the software solution.