CTICon-2013 : Panel Discussion with Advocate Pavan Duggal (Part 2)

Importance of Secure Software Development Life Cycle

A common delusion is that applications should be secured after they are developed but before deployment to the production environment. Performing a Security Audit after they are completed typically results in a significant amount of Security flaws said Dr. Anup Girdhar, (CEO-Sedulity Groups). Some of these flaws could involve serious technical & architectural issues. In a best case scenario, developers can invest an immense amount of time and effort to fix these flaws. Worst case, the application may require recoding and renovation of its architecture. Performing application security in this manner is incredibly expensive and time consuming. Integrating security into the early phases of the ‘SDLC’ neutralizes this cost and produces more secure applications in comparatively less time.

However, many organizations have not yet formalized their secure software development program and consequently they spend more time reacting to security issues in completed applications rather than pro-actively eliminating issues before the applications are completed. Further, they see the same problems marked themselves time and again in the same applications. This is a clear sign that a strategic approach must be engaged to avoid the endless bug-fix cycle.

Sedulity help organizations to develop a secure SDLC integration program including recommend¬ed policies, guidelines, and knowledge transfer to address the three fundamental areas of people, process, and technology that are critical to a successful development process.

The secure software development gap analysis process can significantly benefit from security reviews of multiple of your applications to create a baseline. This testing could include threat modeling, and penetration testing. Creation of this baseline will allow Sedulity consultants to accurately determine the state of software security within your environment. This in turn helps during the gap analysis and in making recommendations that can truly help your organization improve its software security while still delivering IT projects on time and within budget.

Methodology:

Sedulity Solutions & Technologies will gain a comprehensive under¬standing and analysis of how your development teams work. Thorough interaction, analysis of documented SDLC procedures, and review of any known issues with existing applications, Sedulity Consultants will understand existing practices and be able to identify areas for improvement from a security perspective. A key part of this analysis will include examining existing and proposed touch points and artifacts to identify critical areas for improvement. Sedulity measures the maturity of your application security efforts and helps you determine next steps by evaluating your SSDLC against a baseline of our best practice areas which are as follows:

•    Awareness and Training
•    Assessment and Audit
•    Penetration Testing
•    Development and Quality Assurance
•    Compliance
•    Vulnerability Response
•    Metrics and Accountability
•    Operational Security etc.

Meet & network with international experts at Zebra-Con ‘An International Conference on GRC’

Condition Zebra, an established risk management and critical infrastructure security solutions provider from United States, is hosting its inaugural conference on Governance, Risk, and Compliance (GRC) in Malaysia this August.

“ZebraCON is an information exchange platform with an assembly of industry experts to share on strategic solutions and compliance concerns that impact security risk management,” said Wilson Wong, Managing Director of Condition Zebra. “Unlike a conventional conference covered with vendor-centric presentations, the content of our topics is specially designed to bring out a more engaging and interactive session.”
Kicking off in 27th August, more than 400 GRC professionals and corporate leaders around the globe are expected to gather at the Berjaya Times Square Hotel for this 3-day symposium. The speaker line-up includes Drew Williams (President of Condition Zebra), Dennis Moreau (Technology Strategist at RSA Security), and Jim Manico (Vice President Security Architecture of Whitehat Security), just to name a few.
“Protecting the Payloads: Aligning GRC with Business Priorities” is the theme for this event, it illustrates the importance and strategies to adopt a stronger security solutions across the critical infrastructures to secure the organization’s assets from perilous attacks.

According to a study conducted by PricewaterhouseCoopers, 78% of the organizations anticipate increased board and audit committee demands for evidence of effective compliance. To remain competitive, organizations need an effective system to improve overall compliance objectives and simultaneously, have a clear overview on the distributed access control in their business environment to mitigate risks.

“Every organization is facing the growing security threats caused by dubious business practices. Risks are present and unpredictable, doing nothing will only put the organization in rough water and bring huge damage to its assets when the attack strikes,” said Wong.

ZebraCON will feature insightful GRC strategy and implementation guidelines for policy development throughout the event. A series of expert-led trainings are to follow suit, covering the root cause analysis of GRC challenges to cloud computing, business – translated view of the national security policies as well as the legal considerations of infrastructure preparation.

More information about ZebraCON 2013 is available at http://www.zebra-con.com or you may also visit and contact  http://cybertimes.in, and http://sedulitygroups.com to register and avail 20% Discount for the conference.

Penetration Testing can help corporates to meet their security goals

After so many latest and powerful Malware attacks, Corporate industry; more than ever - need to take advantage of Cyber Security in order to test their networks, systems and applications to protect themselves from different Cyber Attacks. To ensure that web based systems and applications are secure requires more than just good design and development. In order to identify vulnerabilities, it is often a good idea to involve an independent body like Sedulity Groups to help find potential security problems before releasing to the public.

Getting Penetration Testing done is the only best practical way for companies (Small, Medium, & Large) to establish the optimum level of security within their networks & systems. Having third parties do this testing is a good way of introducing genuine experts and getting a different view on something said Dr. Anup Girdhar, CEO of Sedulity Groups. "However it’s also important to make sure that security is the responsibility of the team, and not something that is outsourced. With the ever-increasing risk of internal & external Cyber-Attacks to websites, the adoption of new technologies including virtualization and cloud computing, organizations have to firstly, identify Cyber Threats and secondly, put control measures in place to defend themselves from all these Cyber Attacks said ."

Routine IT Audit, is also known as penetration testing which is an essential component for any Corporate to implement the optimum level of security. As computer technology has advanced, organizations have become increasingly dependent on computerized information systems to carry out their operations and to process, maintain, and report essential information. As a consequence, the reliability of computerized data and of the systems that process, maintain and report these data are a major concern to audit.

Penetration testing should go far beyond proving it is possible to break into a system. It should explore the impact of the compromise and give a business answer to the threats an organization faces Dr. Girdhar, said in an interview. A client may not care that a development SQL server is vulnerable – but if that server is joined to the domain, we can demonstrate that it almost always allows an attacker to gain full access to the entire network. Likewise, a vulnerable firewall might not be important if the vulnerability cannot cause loss or embarrassment to the business. This type of analysis will assist you in directing security strategies and efforts. This makes penetration testing a need rather than an optional endeavor.

Sedulity Solutions & Technologies, is the most professional group of IT security Experts and Ethical Hackers involved into various Cyber Security Solutions for Corporate and Govt. Departments like Penetration Testing, IT Auditing, Cyber Crime Investigation, Data Acquisition, Network Security, Server Configurations,  Security AMCs, Creation and Hosting of Secure Websites, finding Vulnerabilities and loopholes in the Websites and also provide the Security Countermeasures to overcome the Cyber Attacks. Penetration Testing, services include a comprehensive report which will identify the vulnerabilities, severity levels and also recommends remedial activities as well. These services are suitable for small, middle, and large level companies. The packages are available for a limited time only at the special discounted price..

To get best Cyber Security Solutions for your business or organization, you may contact Team Sedulity.

FOR FURTHER INFORMATION

Call

+91-9312903095 or Email at contact@sedulitygroups.com

Why HTTPS is not implemented on entire web when it is more secure?

Today we live in the advanced ‘Cyber Space’ where we all are connected through various means of Communications via using Internet. More than 99% internet users visit lot of websites includes Social Networking, Email Services, E-Commerce, Banking etc. where we pass our User Names & Passwords many a times each day. At the same time the problems of ‘Cyber Crimes’ are also rising up where most of the problems are related to the Hacking of the User Names and password. Today if we see, most of the websites are on http instead of https which is supposed to be a much secure protocol. That extra "S" in the URL means that your connection is secure and it's much harder for anyone else to see what you're doing. However, the question is that if HTTPS is more secure, then why doesn't the entire Web use it for security reasons?

HTTPS is used only by those sites that handle money, like your bank's website or shopping carts that requires financial information like Credit Card details or the Online Bank Details. For example if we talk about the websites of Banks, it is mandatory for every Bank to implement https on their website, as per the RBI guidelines. It is easy for anyone to capture your current session's log-in cookies in any insecure networks like your College/ Office hotspot or public Wi-Fi at the restaurants.

You might not mind anyone reading your messages on twitter or so. However, you never prefer anyone sniffing your User Name & Password. That’s why Twitter has announced a new option recently to force to HTTPS connection. However, it is available only for the Desktop Browsers and not available for the Mobile Browsers which is another issue.

Slowly and gradually the websites are moving on HTTPS but why not entire web should move towards it? That’s the question that was put in front of Dr. Anup Girdhar, (CEO-Sedulity Groups) during an interview. There are lot of issues due to which it’s taking lot of time to move from http to https completely. The major problem is the high cost which is to be paid to get the secure Certificate due to which most of the vendors do not prefer to move to https. The another problem which is also encountered is the slow performance hit when using https, said Dr. Girdhar.

Moreover, if you calculate the cost of running the https site, it is expensive as compare to the http site. An https website doesn’t work because it requires good Broadband speed and should be the Browser Compliant. It is possible with the Man-in-the-middle attack to crack the password on http sites, where https websites are comparatively more secured. However, the hackers are so advanced that they’ve even hacked the https websites as well, which has become the another security constraint for the W3C. Certain add-ons and plugins are available which simply recover the username & password from the https websites as well. I have demonstrated the same in one of the International conferences held at Singapore, said Dr. Anup Girdhar.

If we measure, the reasons can be taken care of with providing optimum level of solutions in order to get secure connections. So we need to look broadly that if https will be implemented completely, how well it safeguard our websites and protect our data.

Cloud Computing: An Icon in the IT world

Cloud computing means using the computing resources both hardware and software, that are delivered as a service over Internet. In other words, computer and software services necessary for computing works provided via the internet is called cloud computing.

When we think about the need of IT, cloud computing comes into focus like the requirement of a way to increase or add capabilities on the fly without investing in new infrastructure, training new personnel, licensing new software etc. Cloud computing encompasses any subscription-based or pay-per-use service that, in real time over the Internet, extends IT’s existing capabilities.

Cloud Computing is a technology that uses the internet and central remote servers to maintain data and applications. Cloud computing allows consumers and businesses to use applications without installation and access their personal files at any computer with internet access. This technology allows for much more efficient computing by centralizing data storage, processing and bandwidth.

It is named as cloud computing because all the services are provided via the internet and cloud symbol is used as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts remote services with a user's data, software and computation.

There are three types of services offered in Cloud Computing which are as follows;

Infrastructure as a service

Platform as a service

Software as a service

Infrastructure as a service:

In Infrastructure as a service, the service provider provides the necessary servers, hardware and networking components to an organization for a fee. The organization in turn installs the necessary programs in the service provider's server and uses them. The service provider is responsible for the maintenance of the servers.

Platform as a service:

In Platform as a service, the service provider provides the necessary softwares and the tools for creating softwares which are installed in their server to an organization for a specified amount. The organization creates the necessary softwares on his platform and uses them. It’s like renting in a house which has all the necessary things.

Software as a service:

In Software as a service, the applications hosted in the service provider’s server are made available to customers via the internet. The provider also interacts with the user through a front end panel. The provider provides the necessary support to the customer. The services range from e-mail to data processing.

Advantages of Cloud Computing

1. The main advantage of cloud computing is that the customer can get the service at any time.
2. Also there are no problems of computer crash or server down. All the responsibility is of the service provider. 
3. There is no investment cost for computers, servers, software, etc. 
4. Amount can be paid according to usage. 
5. Now days, the service providers provide the service on a monthly basis. The provider and the customer can cancel the agreement at any time.

Disadvantages of Cloud Computing

1. Possible downtime: Cloud computing makes your small business dependent on the reliability of your Internet connection. When it's offline, you're offline. And even the most reliable cloud computing service providers suffer server outages now and then. 
2. Security issues: How safe is your data? Cloud computing is Internet computing. So you should not be using cloud computing applications that involve using or storing data that is private and confidential. That being said, established, reliable cloud computing vendors will have the latest, most sophisticated data security systems possible as they want your business and realize that data security is a big concern. 
3. Cost: At first glance, a cloud computing application may appear to be a lot cheaper than a particular software solution installed and run in-house, but you need to be sure that cloud application have all the features that the software does and if not, are the missing features important to you? 
4. Inflexibility: Be careful when you're choosing a cloud computing vendor that you're not locking your business into using their proprietary applications or formats. 
5. Lack of support: Customer service for Web apps leaves a lot to be desired -- All too many cloud-based apps make it difficult to get customer service promptly – or at all. Sending an email and hoping for a response within 48 hours is not an acceptable way for most of us to run a business".

Wi-Fi: An important Technology for Communication

In Today’s world there is no need to grab the telephone receiver and dial a specific number to transmit voice through cables merely to hear the voice of your Friend. Now each of us carries our own handsets with a built-in phonebook and text messages. The facilities like Wi-Fi have further improved the standard of communications by cutting down expenditure and increasing availability.

No matter where you are, you can access the world of web through your Mobile handsets, Laptops and even on your Tablets. The technology that enables you to plug in internet without any wires, no matter you are in a cafe, in a library, in a shopping mall, in college campus or on any airport, it is all Wi-Fi. The wireless network also known as 802.11 standard. The circumference where wireless technology is present and available to the users is known as Hotspot.

The inexpensive, user-friendly Wi-Fi networks are also conspicuous. Wi-Fi is commonly installed in home or offices these days, in order to transmit information in the air without the use of wires. In near future you would find wireless networking available in every nook and corner of the country due to its demand and usefulness. And that day is not very far.

Wi-Fi is derived from the decades old term Hi-Fi that stands for the output’s type produced by quality music hardware. Wi-Fi Technology is WIRELESS FIDELITY and stands for all those technologies that fall under the specifications of IEEE 802.11 including 802.11a, 802.11b and 802.11g. The association of the term Wi-Fi with various technologies is merely because of the promotions made by the Wi-Fi Alliance.

Wi-Fi transmits data through radio waves. The two-way radio communication: the wireless adapter translates data into a radio signal then transmits it via antenna; and the signal is received and decoded by the wireless router that uses a tangible wired Ethernet connection to send information to the internet. The equation is reversed when wireless router receives data from the internet and translates it into a signal where the wireless adaptor receives the signal and decodes it.

If your laptops and cell phones do not have a built-in wireless transmitter then you could purchase a wireless adaptor and inject it into USB port. A Wi-Fi hotspot is automatically discovered and connected by the transmitters. The presence of Wi-Fi in public places makes it convenient to stay connected to your official tasks or to the social networking.

Thus the Wi-Fi Technology is very beneficial to always stay connected with your Colleagues, Friends and Relatives.