Five Ways To Reveal Your Security Practices

Cybersecurity has been among the most significant trends over the last decade and has become even more critical now, mainly due to more remote work being done. From ransomware to cyber espionage, hackers have developed sophisticated techniques to break into your project/company data and get away with critical information or demand ransom.

Even well-known organizations such as Canon, Garmin, Twitter, Honda, and Travelex have been victims of malicious actors. A data breach can be a disaster for your company or project, destroy your customers' trust, and spoil your company’s reputation. 

Many Project Managers still think that project security is the responsibility of other people – software architects, DevOps, InfoSec specialists, etc. However, a PM’s task is to ensure that the products you create or services you deliver are secure.

How can security be checked, and what unexpected security issues may you face when starting a new project? Here are five ways to ensure the development of a secure product and make your project safer. The Sigma Software team has some valuable tips on implementing security practices in SDLC. 

Let's waste no time and start with the first one. 

Not by Checklist Alone…  

Security is no longer a ‘nice to have’ option. Every business starting a new project with a 3rd party consultancy wants to ensure a vendor follows security practices. The easiest way is to have a vendor complete an assessment checklist with a section dedicated to providing project security. Such a checklist is nothing more than a company's idea of how good its security program is. The situation may significantly differ. 

At times, companies were satisfied with the information provided in those checklists. Now, businesses are looking for something more than words — proof that you have implemented security practices and are following them in your daily work. How exactly can this be proven? Below are the five most common ways.

1. Tracing the Company on the Internet

There are two main paths for gathering information about your company. The first one, OSINT (Open-source intelligence), suggests collecting data from publicly available sources, including media (newspapers, radio, and television, etc.), online publications, blogs, discussion groups, YouTube, and other social media websites, public government data (reports, budgets, hearings, telephone directories, press conferences, websites, and speeches), technical reports, patents, working papers, business documents, newsletters, and more. 

That’s a lot (A LOT) of information! Yes, it takes time to analyze it, however, it is an efficient way to pinpoint any weaknesses the company used to or still has regarding data security. 

Organizations may also resort to specialized platforms and tools for third-party risk assessments. These solutions, like RiskRecon, BitSight, and others, provide ready-to-use assessment procedures that help rate a vendor and decide whether to work with them. 

So, you see that everything you make public can influence the whole picture. An app that contains a vulnerability influences your reputation, even if it was for internal use, even if it happened years ago, even if it was published for just an hour. You may forget what you uploaded to the network. The Internet does not forget. It is in your power to reduce the areas of attack and minimize the information that can be used against you. Look carefully at what you make public. 

2. Сonducting an Independent Evaluation

An external evaluation is one of the most popular ways to confirm that a vendor follows all security practices. You have to ensure that the results of such an evaluation match what you specified in your checklist. Otherwise, you will find yourself in a fragile position. Thus, when filling in the checklist, omit false information and refrain from embellishing reality. If you realize you are not good enough to successfully compete with what you have, this is a call to action – improve security in your company because you`ll have to do that anyway. This is a requirement of the changing reality. 

3. Reviewing Internal Pentest Reports 

To check how secure your project is, your potential customer may request your internal reports on penetration testing. Such testing should be conducted at least once a year or before any significant releases. So, if your project runs, for instance, for three years, you should provide a client with three reports, and you'd better have them all. 

Make it a rule to conduct pen tests every single time. Control this issue regularly so that you do not have to rush to find a way out of the situation when the time comes. 

4. Checking for Phishing Awareness 

When declaring that your company implements security practices and teaches its employees how to develop secure software and defend against modern threats, remember that your customers may want to check if it is true. One way to do this is to send out phishing emails. If your company receives a phishing email and your employees respond, it means security practices are not as good as you imagine. 

This is a red flag for the client that your team does not know or follow the basic security rules, which puts your current customers at risk. Ensure you train your team to identify phishing emails and how to act when receiving them. 

5. Listening to What You Say and How You Say It

Direct communication is of very high importance in any case. 

Communication about security is no exception. What you say about your company's security practices and how you say them is a litmus test of whether you know the subject. Enlist the support of your colleagues who are experts in the field. 

Don't risk taking a chance that your customer knows just as much as you do. It's funny, but it works both ways; it doesn’t matter if you are a security guru. Even if you are wise in the area, your task is to ensure that you can develop a safe product and not to make a client feel uneasy about the level of their knowledge in the field.