Category Archives: SDLC

What does the WikiLeaks announcement mean to you?

I doubt you missed it but this week but WikiLeaks announced some very serious allegations on how vulnerabilities are being used by government agencies to compromise devices then use the devices to listen to conversations and capture all data from those devices. Do I have your attention now?

If you have one of following pay attention:

a. An iPhone
b. An Android phone and/or based device (this category is very wide)
c. Windows
d. Smart TV
e. Home IoT devices
f. Fake versions of security software from McAfee, Kaspersky, and Sophos

The list goes on and on. This truly represents a significant president  that an intelligence organization has infiltrated and created a platform to compromised systems for spying. I for one am not surprised. Why????

1. Many companies do not have SDLCs that include security testing and those that do only do the minimums they are required for their particular industry.

2. Many do not threat model or conduct aggressive pen-testing that is required for many of these products.

3. Executives are more inclined to release an insecure product to get revenues versus doing the right thing and securing it from the get go. Go to many startup incubators, they only think about security and privacy when they hit several 1000 of users or larger companies start asking about the security posture. Many of the folks that fund these start-ups consider security a “patching” problem. They want their money so get the product to point where someone is going to pay big dollars for it and we can walk away.

4 .Vendors are not required to provide any assurance to their products. This is why IoT in the consumer and business markets is a bounty of either compromised or to be compromised devices that are used in pivot attacks.

So how do you protect yourself and your organization in this wild west of vulnerable software? Consider the data you collect, store and process then how it is touched by the known vulnerable products listed above. Now, start to remove your critical data from these platforms until the patches and fixes can be provided. Start asking vendors and service providers those uncomfortable questions:

a. How do you securely test and design your software or solution? Prove it!
b. Do you provide free upgraded and patches to your products?
c. When was the last time you experienced a data breach?
d. How is your source code protected and evaluated against backdoors and compromises?
e. What security training do you provide your staff on a regular basis?
f. What 3rd party evaluations have you had conducted against your products?
g. What is your vulnerability disclosure policy?

The answers to these questions are going to give you a good sense to the security posture of the vendor. If they cannot answer these immediate or have to go check. Walk away! A company that has instilled a culture of security will have the answers to all members of staff.

Additionally, I would recommend that you stay off public WiFi networks as these are used to hunt for victims. Stop making it easy for governments to gain access to your devices. This includes corporate confidential and IP data because they take that too. Harden your device as much as you can and use a IPSec VPN to project your data in transit. Finally, encrypt all your stored data. If your systems are compromise you need to have that additional level of protection.


Cyber Canucks EP8 – Cyber Assurance Programs

We hope you enjoy episode 8 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode include how we TwelveDot look to help organizations implement a cyber assurance program. These aspects are key to getting your company and/or organization prepared to start thinking security in everything they do.

  • GAP Analysis– benchmark of current policies, partnerships, employees. As we focus on ISO and the 27K family of standards. We recommended that an Gap Analysis be conducted using ISO 270001. If you in industries such financial or telecom there are special supplements in 27K family that addressed specific controls for these sectors however the over arching approach is based on ISO 27001.
  • Assessment – Initial assessment identifies/validates to create risk assessment document and then action plan. Get your risk management practice jump started and running with ISO 27005 and ISO 31000. These should provide the necessary foundation for you to build your practice.
  • ISMS – Information Security Management System. This takes the previous two steps and then formally initiates the process and policies necessary to implement and continue to develop and mature as your organization grows and develops.
  • SDLC – System Development Life Cycle use be formalized for any company that produces a product/service. As part of your ISMS implementation will create the necessary checks and balances to ensure that cyber risks and privacy elements are identified, assessed, and mitigated as required. This is before you ever release your solution.
  • Evaluation – Internal and External Evaluations ( certification ) will be required on a on going basis. While many can be completed internally as part of your ISMS implementation you will need to bring in external assessment auditors for certification of your ISMS.

Keep in mind you do not have to go the certification route to start. You can begin by starting your ISMS and getting it operational. That is the toughest part! Once started, it is just a matter of making it better as you go along. No two companies are alike so your implementation considerations will be different. However, your goal is always the same creating a company culture of security.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.



Cyber Canucks EP5: Considerations for IoT

We hope you enjoy episode 5 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Threat Modelling – How is your device going to be attacked
– Code Assessment and Third Party Libraries    Risk and security aspects around application code and checking third party libraries against known common vulnerabilities
–  Infield Patching and Support-  often overlooked when thinking about cybersecurity
–  Manufacturers and SDLC – all organizations need to consider security and implementing an SDLC and formal evaluation process around device
–  Field Monitoring –  Guidelines and standards need to be addressed but also monitoring for suspicious activity in the field.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.


Devs stop the “bolt-on” syndrome

We believe the companies who develop products and services need to develop a cyber assurance program to ensure their solutions do not lead to “bolt-ons”…….yeah you heard me “bolt-ons”. Let me explain — we use insecure communications then use a VPN as a bolt-on to secure it, we use an insecure OSes and applications then use AV as a bolt-on to protect our desktops and PCs, and we do not patch and service our operational systems and use IPS/IDS as a bolt-on to protect them. Get the point?

We have been using this outmoded approach to security for a long time and it does not seem to be getting better but worse. Worse because those organizations that don’t use the bolt-ons are making it ugly for the rest of us when their systems are compromised and used to attack our systems.

How do we fix this mess? At the cusp of all things computerized is software. We need to become obsessed with safe and usable software and applications. We have to stop accepting licenses to use a product that is built to make people lots of money with little regard to users well being. Stop expecting your software to fail and exposure your business and your children. Think of it this way…..if your car was to fail as much as your OS or applications would you buy that car again? Probably not and you would light up social media channels with why not……so why give money back to the same developers who exposed your data in the first place? Or why give someone money who did not perform basic security or privacy testing for an application?

Help stop the bolt-on effect. Be selective of your software providers. Ask them the tough questions on how they perform security testing and ensure that vulnerabilities are reduced to a minimum. Then have them prove it! Take a peek at how many CVEs have been reported against them. This includes your mobile apps. You might be surprised to learn the folks who develop these apps have little to no formal software training yet collect and store your confidential and proprietary data — how safe do you feel now?