The security of an IT-infrastructure and/or application is tested by means of a security assessment and/or penetration test. In practice these assessments most of the time take place after delivery of the infrastructure or software. Often security isn’t an integral part of the design. The disadvantage of this approach is that bugs or mistakes are only detected afterwards and are difficult or cannot be fixed. The tests are also just a snapshot. What has been tested today is out of date tomorrow.
According to ITsec’s it is important to pay attention to the security of an IT-infrastructure or (web)application in every stage of the development process. Whether applying devops, agile or a more traditional development method, a risk driven approach to security is essential. Only in this way it’s possible to iteratively develop inherent secure infrastructures and/or (web)applications. It’s also possible to make changes in an early stage which makes it easier to control the total cost of ownership. Making security an integral part of the development process gives management and (external) auditors the means to, at any time, determine whether the IT-infrastructure and/or (web)application works like it’s supposed to and is secure.
In practice this means that during every stage of the development process one or more ‘ethical hackers’, security engineers and/or security architects are involved. Ranging from preparing use cases, assessing risks, determining requirements to security testing. Aim should be to automate the (regression) tests as much as possible so they can be easily integrated in today’s development methods. The advantages are evident: a repeatable test process and inherently secure infrastructures and/or software.
Processing and exchanging information has become a core business for many organizations. Information is everywhere and business processes are increasingly supported by IT. It’s important that information is available when needed, correct and complete and only accessible for those who need to know. This is only possible if people, processes and technology operate effectively.
ITsec is part of Insite Groep. Insite Groep considers security awareness as the starting point of cyber security. In our eyes, information is only secure when people handle the technical and organizational measures in the right way. Human behaviour determines (the level of) cyber security. That’s why we always align people, processes and technology.
Cyber security is not a one-off activity, it’s a continuous process. The context in which organisations operate and the risks change constantly. That’s why it’s important that you keep adapting and improving and not only take one-off measures. Our approach provides continuous insight in the level of cyber security and the weak spots. This way you stay on top of things. We tell you what to improve, why and how. Of course, we help you implement improvements. By doing so, we work on cyber security, today and tomorrow.