Secure Coding

It is hard to believe that we are days away from the 10 year anniversary of our humble beginnings. We have come so far from the company that I started in my basement. Back then it was just a dream of starting something small as an independent consultant but wanting to share my expertise in cyber to help clients. Now we have grown to a team of 7 and have offices in a great part of town in Ottawa, Canada and global clients. We are bursting at the seams and have already expanded our office footprint. With next year poised for more growth we will be expanding again and adding more R&D capacity in the process.

I have learned lots during my tenure as both a business owner and executive, and have made some good and bad decisions along the way. I never shy away from admitting my mistakes especially some questionable partners and sub-contractors – but life and business are about learning and I am grateful for the lessons.  I am humbled and blessed by our staff, clients, and partners we currently have as without you none of this would exist.

We will be refining our services as we shift the company from consulting to formal testing and evaluation and secure product development.Our capabilities will be expanding in the next year including our Hut6 platform to offer more services. With our growth in education, healthcare, and industrial our next 10 years looks very promising and with our current team in place we are definitely going to make this happen.

For all of you who believed in me and my dream thank-you! Lets make the next 10 years better than the first as we enter the teenager years of the company.

//Faud

This past week I was fortunate to be invited as a guest speaker for the 1st Internet Society meeting on IoT security. This meeting was well attended from government, private sector companies and academia. It was a means to get on the same page to issues at hand and how do we as users, developers and government secure the Internet and IoT.

The key issues at hand include:

1. Awareness to the issue of IoT Security for Canadian, not just individuals but organizations who want to deploy IoT technologies

2. What exists now from standards and best practice perspective and what approaches can be used

3. What can be done to ensure the next generation of these devices is not a source of another DDoS or other malware on the Internet.

As promised, I am including my presentation and mind map that was presented. Please feel free to share this as necessary, the more groups and individuals who are talking about this subject the better.

For more information check out ISOC here.

ISOC Ottawa_v1

IoT Attack Surface_MindMap

 

Saw this post today about programmers discussing the unethical and illegal things they’ve been asked to do and it really made me think about all the battles I had as a young cyber security practitioner. Fortunately I was very fortunate in that I had lots of support and worked for an organization who respected security at the onset of my career in cyber security more than 20 years ago. This helped me when I experienced the other side of the coin where executives wanted things like breaches covered up and threaten you with lawsuits if you refuse to obey or speak out….. And yes that happened to me once.  The choices that I made then and throughout my career were and still are shaped by those experiences and my ethics.

Five years ago Marc Andreessen penned his famous “Why Software Is Eating the World” essay in The Wall Street Journal. Today software is feasting on the world; its footprint is in our businesses, our smart phones, our physical activities, leisure and even sleep. This footprint is only going to grow exponentially with the Internet of Things (IoT) as are the opportunities for those with less principles or ethics to take advantage especially in terms of unethical coding and the misuse of the treasure troves of data that many companies are custodians of today.

Companies who are data custodians but do not have the required cyber security for their customer’s data, either through negligence and incompetence, are doing a disservice to their customers. However, despite the rash of data hacking in recent years, it is not all negative. More and more executives appear to have turned the corner and are now willing to listen and learn about how to better protect their companies and their customer’s data. Moreover, I strongly believe that relatively new legislation such as PIPEDA in Canada will motivate many companies to not just think about meeting a requirement but how to better secure their organizations. Believe it or not being cyber secure is, and will be, a differentiator in many markets as those who are unwilling to invest in better cyber security will do so to the detriment of their customers, shareholders and themselves. Going forward executives will be in the cross hairs of data breaches and will have to own up to any oversight on their part in terms of cyber security and the protection of their customer’s data.

That said my advice to all employees is to protect yourselves. Ensure that requests to perform unethical activities are recorded with data, time, and people — record, who, why and what and remember to keep your journal encrypted. If you are asked to do something that is completely illegal contact a lawyer and report it to the relevant authorities. If and when you leave the organization for these reasons make sure you report it during your exit interview. You ethical duty is to make them aware of it and that you have recorded all aspects of the activity. It is then up to them to deal with it as it is their responsibility to ensure secure software.