Defense in Depth: Inherently Vulnerable By Design

Much of what we do as practitioners is to prevent inadvertent security problems – oversights, zero-days, etc. What about inherent and unavoidable problems? When the very design of the thing requires a lack of security? What do you do then?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Dan Woods, vp of the Shape Intelligence Center, F5.

Thanks to this week’s podcast sponsor, F5

External threats to your organization’s security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial.

Got feedback? Join the conversation on LinkedIn.

On this episode of Defense in Depth, you’ll learn:

  • The mere act of conducting business requires you to have certain procedures that would make you vulnerable. Simple things like taking customer information to create user accounts and processing credit cards. That’s inherent to doing business, and by opening that up, it makes you vulnerable.
  • A lot of this inherent vulnerability comes down to having users or customers and needing to authenticate them.
  • When you start a business you’re also accepting the inherent vulnerability and you have to ask yourself to what level can the business function having that vulnerability abused? It’s all about risk appetite.
  • Two factor authentication sure is nice, but there has to be multiple “behind the scenes” authentications going on to verify identity continuously.
  • As you’re collecting all these additional data points you can use that information to ask the user to verify.
  • Provide discounts to customers and users for good security practices. Insurance companies do this with people who prove safe driving practices. It could be a win-win for everybody. For example, with Mailchimp, they give you a discount if you enable 2FA. Why not offer a discount for a really long and complicated password?
  • One of the major issues is the password reset process happens through email. Email wasn’t designed for critical authentication. Many hacks happen through the reset process via email.

Defense in Depth

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.