
I LOVE this press release from the NSA.
The shotgun style breakdown is as follows:
Software is often deployed before it is understood. This creates risks.
Period.
The focus of the release and subsequent guidance is software deployed in infrastructure systems. However, the premise and guidance are applicable across the entire western world, public or private.
Utilizing software without understanding its interworking's, its limits, weaknesses and strengths creates an environment ripe with attacks vectors. I think at this point it should be obvious to ALL of us that this happens MOST of the time regardless of the situation or implementer. Public, private or personal we are all guilty and we need to start aggressively increasing accountability for these decisions on all fronts.
I empathize with the plight of implementers of course. Operating in the modern world often means a break neck pace being maintained on all fronts. However, like we have discussed here many times over the past year, when it comes to security we must SLOW DOWN.
It is time for leaders at every level, public and private, to take securing our data seriously. Slowing down, is a necessary culture shift in this regard. We must be measured, poised, and diligent with our decisions. Will we still make mistakes, yes, but we cannot afford to continue wandering blindly in the wilderness, surprised each time we encounter a threat.
Take a pause today, review your critical software utilization and determine if you need to get serious about understanding your risks.