Many of you will remember the A-Team and how their crazy team was able to overcome impossible challenges. Well, web security is a next to impossible challenge and organizations can’t expect a single lone actor to protect your organization from attacks.
One person working in isolation cannot be expected to be an expert in all aspects of Internet security, it’s just too vast. This area of expertise that is simply changing too quickly.
The software that is running our central infrastructure has simply got too complex. Managing the back-end server security is going to be different than managing the front-end security of your Content Management System (CMS). Sure, your CMS sits on the web server, but it leverages very different libraries.
Most organizations aren’t going to have a security team, but there will often be an individual who is tasked with this responsibility along with many other things. Fortunately, there is the Internet, so you don’t actually need to rely just on those within your organization to help flesh out your team.
Whoever is tasked with security should be getting ongoing training so that they can keep abreast. Â Where your company relies on open-source tools like Drupal, it is important to keep engaged with the security community there as well. There are many people in the community who have experience that they are willing to share with those who are engaged.
Obviously you’ll want to ensure that someone is on the mailing list to see that your organization receives updates of the latest threats to the code that you use. You can usually get updates from a traditional mailing list or RSS feed. Many now have announcements via Twitter and of course there are updates posted on the project’s website.
Someone needs to be aware of when the updates are usually announced and be keeping an eye out for those like Heartbleed Bug, which aren’t released as part of a regular cycle. When issues this serious are announced, you don’t want to have the only person who can address it be on vacation.
Participation in open-source communities can effectively leverage the knowledge and creatively flesh out your team. By giving back to the community and helping others learn about web security it will also help to demonstrate that your team knows what they are talking about.
Your security team will need to bounce ideas around and look at what others have done in order to find solutions to today’s complex security problems. Engaging with open-source communities is a great way to build trust with others who can help see that the right plan comes together.