The Security Office - we have interviewed the authors of the Defence in Depth series.
They are experts in application security and also members of the Security Office, a group within Omegapoint that works to raise awareness of application security among our customers. Now Martin Altenstedt and his colleagues at the security office in Gothenburg have produced a series of articles describing what is required to build secure systems.
Hi Martin! What is your role and what are you actually working on?
- I am an expert consultant in application security and am responsible for the security office. What we do is to help companies with security through three parts: conducting security audits, performing penetration tests and establishing a structured approach to application security at our customers.
We take great responsibility for security and our consultants work part-time in the security office. The rest of the time we work as developers, which gives a greater understanding of all the different considerations that customers need to relate to.
Why did you write Defence in Depth?
- We want to tell you what we do and what we can do, but at the same time we want to give you an overall picture of what it takes to build secure systems and what that means. If we can also raise some awareness of the importance of being aware of your security needs and whether or not you are meeting them, that would be great!
But isn't it a bit excessive to be as zealous as you are in the articles?
- Sometimes it is absolutely excessive. But that depends on the need for security. A bank obviously has completely different needs than a scout association. The important thing is to be aware of your needs and whether you are meeting them or not. Most people have a need to protect, for example, customers' personal data, because there are more demands on it today than in the past. Others have much higher demands on their level of security, and then the content of these articles is relevant.
What do you think are the main problems with the way application security is handled today?
- Unfortunately, the most common is not to work on it at all. Safety is often low on the list of priorities. I think a lot of it is about other things becoming more important because they are more noticeable. Non-functional requirements for an application, such as that it is fast or works properly, become acute if they are not met. Security is often not noticed immediately and in many cases penetration is not noticed at all.
But why take this security thing seriously?
- Partly because of stricter rules on the handling of personal data. But also because the threats are growing as the number of actors increases and they become much more sophisticated. What drives the people who break in is money. Secret information is very valuable on the illegal market and therefore many people are dedicated to getting it.
Who is responsible for the security of companies?
- It is very different, but in general, the responsibility requires a higher level of competence today than before. The reason is that we used to build systems with scale protection. Today, our systems need to interact with everything from people's mobiles to other systems. This places completely different demands on those of us responsible for security.
What is the biggest challenge for companies in establishing an adequate level of security?
- Lack of clarity as to who is responsible for it. Unfortunately, responsibility often falls through the cracks, and one reason for this is a failure to define what level of security is considered adequate. Another is that they simply don't have the skills in-house.
Last question, if someone wants to learn more about this, how should they do it?
- Read our series of articles! We at the security office also give talks on application security and we are happy to come out to companies and do that.
