Information security has become most critical aspect of any firm today. From protecting intellectual property for any company where patents company hold is substantial part for their business. Actually company shell out huge money for Acquisition and merger just to get patents like google acquired motorola mobility for getting patents related to hand held device, Microsoft acquired skype fot entering into telecom protocol and SIP phone based markets.. So now it more important for them t protect using security measures. Same way sites like Amazon which is book seller, best buy for retail same way there are companies which are emerging on web which are taking away the traditional way of doing business essentially everything is coming onto web. So we have Wen 2.0 then Web 3.0 to cloud computing where platform as service PAAS , infrastructure as service IAAS, Software as Service everything is exposed on web. its becoming more critical for them to manage security.
Biggest problem in Security is how to define security which i covered some part in my last article but there bigger concern how to manage security projects. Because traditional way of SDLC or software processes does not apply to security due to huge dimensions it can touch like a threat may come from software defined by OWASP , or Web interface still OWASP, or may come from OS (virus, malware, torjan etc…) or may be at assembly level, or may come from hardware recently DSS algorithm failing for ATM cards (PCI DSS standards) or it may come from operational lapses not captured in audit or it may come from transmissions of signals making data exposed to and machine catching signal or sensor network, or network layer Router switches or it may be in mathematics of encryption and decryption which is brooken. Domain is so vast that pointing 1 fault is sometimes mistake. Problem is: defining requirement has bigger problem but more bigger problems are which managing such projects. So what it takes to manage such project? traditional view of PDCA Plan – do – check – Act does not take emergency situations and penetration testing when its done on software to website or and protocol or technology..PDCA is valid when u are creating a project of pen testing but for maintaining security is continuous task testing methodology like OSSTM provides help only in Application security project not for network security or OS security or any there part security.. so security is continuous project..it requires exhaustive preparation.