Why think about web security when it's too late?
Greetings, habravchane!
Some time ago, I was faced with the need to find a decent intrusion detection system (IDS), hereinafter we will use the abbreviation IDS. It was necessary to monitor the servers on which the applications of our clients are hosted. And after a long and tedious search, all the options found could be divided into two camps:
1. Geeks for geeks: difficult to manage and understand open source solutions that do not even have a sane interface, you can only work in them through the console, and you will not understand them without solid experience and knowledge in the field of cyber security. Yes, we could use this option for ourselves, but we could not give it to clients (which, in turn, are far from technical people).
')
2. Dear enterprise solutions: designed for complex and large structures, half of their functionality is simply not needed by web applications, and I really don’t want to pay huge amounts for installing and maintaining a system that uses a couple of functions.
All this prompted us to write our IDS, covering our needs: a simple and easy to manage, with a clear and attractive interface system. We needed to track access to the server, check for third-party connections and suspicious activity, receive alerts about suspicious events, create our own rules (groups of trusted sources, IP addresses), and all this for Internet servers. Fortunately, the extensive experience of security counseling and your CISSP specialist on staff allowed you to do this.
After creating, implementing and working the system on our projects, we thought that maybe someone had a similar problem and is looking for a simple and effective IDS. They hypothesized that such a system would be of interest to non-technical people with small / medium-sized businesses built on the work of their web application. And, in fact, they went to the people to test our hypothesis.
We did not expect a very high interest in web-security issues for this audience, but as it turned out, there was no interest in this topic at all.
“Web security? No, you have not heard ”- this is how their approach can be characterized. The vulnerabilities found and presented to them did not motivate them. The fact that their applications work with the personal data of their clients and, as a result, require special protection, also did not become a motivator. The interested representatives of this audience were only those who themselves came for help after a real hack. “This can affect everyone, but not me” - the owners think and ignore measures to prevent / prevent threats.
After thinking about all this, we proceeded to the formation of another hypothesis. The current hypothesis is that techlides, CTO (Chief Technology Officer) or CIO (Chief Information Officer) in medium and large IT companies (startups or close to IT: news portals, travel portals, online systems) may be interested in using an intrusion detection system. reservations, etc.)
But before that, I would like to, in principle, check the level of awareness of the IT community that web security is important and necessary (the so-called security maturity). And we ask caring habrovchan to participate in the study below: “Web-security. Who needs it? ”
Thanks for attention!
Denis Koloshko, CISSP
Some time ago, I was faced with the need to find a decent intrusion detection system (IDS), hereinafter we will use the abbreviation IDS. It was necessary to monitor the servers on which the applications of our clients are hosted. And after a long and tedious search, all the options found could be divided into two camps:
1. Geeks for geeks: difficult to manage and understand open source solutions that do not even have a sane interface, you can only work in them through the console, and you will not understand them without solid experience and knowledge in the field of cyber security. Yes, we could use this option for ourselves, but we could not give it to clients (which, in turn, are far from technical people).
')
2. Dear enterprise solutions: designed for complex and large structures, half of their functionality is simply not needed by web applications, and I really don’t want to pay huge amounts for installing and maintaining a system that uses a couple of functions.
All this prompted us to write our IDS, covering our needs: a simple and easy to manage, with a clear and attractive interface system. We needed to track access to the server, check for third-party connections and suspicious activity, receive alerts about suspicious events, create our own rules (groups of trusted sources, IP addresses), and all this for Internet servers. Fortunately, the extensive experience of security counseling and your CISSP specialist on staff allowed you to do this.
After creating, implementing and working the system on our projects, we thought that maybe someone had a similar problem and is looking for a simple and effective IDS. They hypothesized that such a system would be of interest to non-technical people with small / medium-sized businesses built on the work of their web application. And, in fact, they went to the people to test our hypothesis.
We did not expect a very high interest in web-security issues for this audience, but as it turned out, there was no interest in this topic at all.
“Web security? No, you have not heard ”- this is how their approach can be characterized. The vulnerabilities found and presented to them did not motivate them. The fact that their applications work with the personal data of their clients and, as a result, require special protection, also did not become a motivator. The interested representatives of this audience were only those who themselves came for help after a real hack. “This can affect everyone, but not me” - the owners think and ignore measures to prevent / prevent threats.
After thinking about all this, we proceeded to the formation of another hypothesis. The current hypothesis is that techlides, CTO (Chief Technology Officer) or CIO (Chief Information Officer) in medium and large IT companies (startups or close to IT: news portals, travel portals, online systems) may be interested in using an intrusion detection system. reservations, etc.)
But before that, I would like to, in principle, check the level of awareness of the IT community that web security is important and necessary (the so-called security maturity). And we ask caring habrovchan to participate in the study below: “Web-security. Who needs it? ”
Thanks for attention!
Denis Koloshko, CISSP
Source: https://habr.com/ru/post/358092/
All Articles