Monday, August 25, 2014

Information Security Management - Introduction


Hi, my name is Margaret.  I have been a programmer for over 25 years.  I started out as a COBOL programmer and have worked on various programming languages in my career.  Currently, I work primarily in Java.  The transition from COBOL to Java was a huge leap.  As a COBOL programmer, all of the programs I worked on were batch programs and not outward facing.  This meant that we did not have to spend any of our time making sure our programs were secure.  Back when I started, my company did not have any Internet facing applications (1989).  As a Java programmer, a lot of my job is to make sure I write secure code since most of what I work on is outside facing applications on the Internet.  I also work on some internal applications on the Intranet but it is still critical that they are secure because security threats can often be from within a company.

I work for a large privately owned bank in Nebraska and have worked there for over 30 years.  At a bank, it is critical that we adhere to the safest possible practices for storing and transmitting customer information.  My company is very active in doing penetration testing of all of our web sites annually.  The penetration testing is also done when we have any major changes done to existing applications.  I have been involved more than once in remediation work for our Web sites. 

As people get more and more adventuresome in how they attack web sites, we have to become better at protecting our customer’s information.  A breach of a financial institution's data would cause a huge amount of financial and reputational harm to my company.  We take keeping our customer's information safe as a top priority.  There are also lots of regulations that dictate how we keep our customer’s information safe and we make every attempt to adhere to all of them.

All developers at my company who work on Web applications or Mobile apps are required to take annual training for the top ten OWASP security threats.  The training goes into the top ten threats each year and also gets into how to prevent applications from them.  The training is meant to keep all the developers focused on good programming practices throughout the year.

Information security takes a “tribe” not just a person.  There are many areas that are involved in keeping our information secure including our networking staff, our application server support staff, our web server support staff, our developers, and our information security staff.  Without diligence from all members of our IT team, we would not ensure the security of our sites. 

On a side note, my son asked me what COBOL meant while I was writing this blog and I didn’t know despite teaching COBOL for four years on top of programming in it for ten.  I looked it up and there were some humorous definitions given:  http://acronyms.thefreedictionary.com/COBOL.  I am guessing the first one was the correct definition:

COBOL
Common Business-Oriented Language
COBOL
Completely Obsolete Business-Oriented Language :-)
COBOL
Completely Over and Beyond Obvious Logic :-)
COBOL
Compiles Only By Odd Luck :-)
COBOL
Completely Obsolete Burdensome Old Language :-)