Votre programme de sécurité est-il axé sur la réponse aux incidents ? Tu le fais mal.
A version of this article appeared as a feature for the Forbes Technology Council. It has been updated and syndicated here.
There is nothing quite like being on the wrong side of a data breach. At first, there might be denial, then panic. Once all the expletives have been aired and the CISO has had to do a 2am conference call with public relations, it’s time to roll up your sleeves and get to work on securing endpoints, systems, and quickly eliminating any potential attack vectors. It’s no picnic, to say the least.
And yet, this is a reality that will dawn on many organizations in the future, and one that absolutely must be prepared for with a comprehensive cybersecurity incident response plan. The problem, however, is that this reactive strategy is where much of the time, resources, and effort is concentrated, instead of working to prevent or reduce the potential severity of cyberattacks up-front. It’s a little bit like calling an ambulance for a suspected heart attack; the outcomes are often a lot less positive - not to mention more damaging - than if preventative health measures were in force before it was too late.
To that end, what does a preventative plan look like? Let’s explore how security pros can employ all the tools at their disposal to mitigate ever-increasing cyber risk, every day:
Understand the scope of work that lies ahead
It seems obvious, but the “right” plan to mitigate cyber risk does have nuances between industries, and it’s important to understand what is needed up-front to reach the desired outcome.
What security problems currently exist? What time and resources are they taking up? How many of them are recurring issues? These are important factors, and will give you a foundational starting point. Consider any roles that need filling, gaps in tooling, and what is needed from an expertise and tool perspective to secure endpoints and reduce the attack surface, while preempting other areas of potential risk.
A recent report revealed that eleven industries saw a serious vulnerability, across at least half of their applications, every day for the past year. In particular, the utilities, public administration, and professional services industries took 288 days on average to patch known vulnerabilities. This is incredibly slow, giving an attacker more than enough time to do serious damage if those vulnerabilities are discovered before a patch can be applied. This, coupled with the probability of organizations experiencing a data breach approaching 30%, is a sobering reminder that incident reaction is not enough, and the stakes are simply too high to brace for the impact of a large-scale cyberattack and hope for the best.
Prepare to get buy-in for cultural change
Shaking up the status quo does tend to raise a few eyebrows, but the truth is, security programs should be in a constant state of continuous improvement. Every component should stay relevant, and new developments should be assessed and factored in.
Placing emphasis on a preventative - as opposed to reactive - approach may not be widely understood outside of the security team, especially if a big, bad, security incident has not taken place. It might be seen as something that isn’t broken and doesn’t need fixing. In this instance, getting executive buy-in is essential. Some of the more pertinent points for them to consider are:
- The time and cost savings in preventative measures, such as role-based training and related tools, as opposed to the potential cost of a critical incident
- How finding and fixing vulnerabilities now keeps releases on time, with fewer showstoppers from the security team
- Why preparing for and preempting potential security risks, from the development team right through to release, saves more time (no to mention significant cash) overall. To put it into perspective, late-stage vulnerabilities uncovered in the testing phase - or worse, post-production - can raise costs as much as 3000% on average.
It’s vital that proposed cultural changes are aligned with business goals, even if they seem uncomfortable at first.
Security awareness is something, security skills are everything
As an industry, we talk frequently about the importance of security awareness, and this is an increasingly critical component of every member of staff in an organization. However, it is not enough to stop at lip service and passive training, especially for those in technical positions.
Put simply, anyone who is touching code is a potential security risk if they’re not equipped with the skills to code securely. General awareness of basic security parameters is a good start, but without contextual knowledge of good, secure coding patterns, poor habits prevail, and it’s this lack of quality development skill that attackers rely upon to do their dirty work.
Don’t write off your developers.
Though the attitude is shifting, many organizations are structured in such a way that developers are rarely a true consideration in security mitigation plans. Some industries - like banking and finance - have stringent compliance and regulatory requirements that result in heightened security practices and training across the board, for all staff. And while they’re certainly ahead of other verticals, just about every organization on the planet could benefit from an in-house army of security-aware developers, all with a baseline ability to sniff out common security bugs before they’re committed. Most are nowhere near achieving this critical piece of the security program puzzle - and it’s necessary if we ever have a hope of securing the deluge of code that increases in volume year-on-year.
Preventative security should begin the moment fingers touch the keyboard to create software, but developers cannot be expected to bridge the security skills gap alone. They need the right toolset and contextual guidance to reach a higher standard of code quality, and the best results are always achieved when it’s part of their everyday work, not an afterthought that is sporadically rolled out whenever annual compliance requirements roll in.
Le fait de mettre l'accent sur une approche préventive, par opposition à une approche réactive, peut ne pas être largement compris en dehors de l'équipe de sécurité, en particulier si aucun incident de sécurité grave ne s'est produit.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior est là pour aider votre organisation à sécuriser le code tout au long du cycle de développement logiciel et à créer une culture dans laquelle la cybersécurité est une priorité. Que vous soyez responsable de la sécurité des applications, développeur, responsable de la sécurité informatique ou toute autre personne impliquée dans la sécurité, nous pouvons aider votre organisation à réduire les risques associés à un code non sécurisé.
Réservez une démo
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article appeared as a feature for the Forbes Technology Council. It has been updated and syndicated here.
There is nothing quite like being on the wrong side of a data breach. At first, there might be denial, then panic. Once all the expletives have been aired and the CISO has had to do a 2am conference call with public relations, it’s time to roll up your sleeves and get to work on securing endpoints, systems, and quickly eliminating any potential attack vectors. It’s no picnic, to say the least.
And yet, this is a reality that will dawn on many organizations in the future, and one that absolutely must be prepared for with a comprehensive cybersecurity incident response plan. The problem, however, is that this reactive strategy is where much of the time, resources, and effort is concentrated, instead of working to prevent or reduce the potential severity of cyberattacks up-front. It’s a little bit like calling an ambulance for a suspected heart attack; the outcomes are often a lot less positive - not to mention more damaging - than if preventative health measures were in force before it was too late.
To that end, what does a preventative plan look like? Let’s explore how security pros can employ all the tools at their disposal to mitigate ever-increasing cyber risk, every day:
Understand the scope of work that lies ahead
It seems obvious, but the “right” plan to mitigate cyber risk does have nuances between industries, and it’s important to understand what is needed up-front to reach the desired outcome.
What security problems currently exist? What time and resources are they taking up? How many of them are recurring issues? These are important factors, and will give you a foundational starting point. Consider any roles that need filling, gaps in tooling, and what is needed from an expertise and tool perspective to secure endpoints and reduce the attack surface, while preempting other areas of potential risk.
A recent report revealed that eleven industries saw a serious vulnerability, across at least half of their applications, every day for the past year. In particular, the utilities, public administration, and professional services industries took 288 days on average to patch known vulnerabilities. This is incredibly slow, giving an attacker more than enough time to do serious damage if those vulnerabilities are discovered before a patch can be applied. This, coupled with the probability of organizations experiencing a data breach approaching 30%, is a sobering reminder that incident reaction is not enough, and the stakes are simply too high to brace for the impact of a large-scale cyberattack and hope for the best.
Prepare to get buy-in for cultural change
Shaking up the status quo does tend to raise a few eyebrows, but the truth is, security programs should be in a constant state of continuous improvement. Every component should stay relevant, and new developments should be assessed and factored in.
Placing emphasis on a preventative - as opposed to reactive - approach may not be widely understood outside of the security team, especially if a big, bad, security incident has not taken place. It might be seen as something that isn’t broken and doesn’t need fixing. In this instance, getting executive buy-in is essential. Some of the more pertinent points for them to consider are:
- The time and cost savings in preventative measures, such as role-based training and related tools, as opposed to the potential cost of a critical incident
- How finding and fixing vulnerabilities now keeps releases on time, with fewer showstoppers from the security team
- Why preparing for and preempting potential security risks, from the development team right through to release, saves more time (no to mention significant cash) overall. To put it into perspective, late-stage vulnerabilities uncovered in the testing phase - or worse, post-production - can raise costs as much as 3000% on average.
It’s vital that proposed cultural changes are aligned with business goals, even if they seem uncomfortable at first.
Security awareness is something, security skills are everything
As an industry, we talk frequently about the importance of security awareness, and this is an increasingly critical component of every member of staff in an organization. However, it is not enough to stop at lip service and passive training, especially for those in technical positions.
Put simply, anyone who is touching code is a potential security risk if they’re not equipped with the skills to code securely. General awareness of basic security parameters is a good start, but without contextual knowledge of good, secure coding patterns, poor habits prevail, and it’s this lack of quality development skill that attackers rely upon to do their dirty work.
Don’t write off your developers.
Though the attitude is shifting, many organizations are structured in such a way that developers are rarely a true consideration in security mitigation plans. Some industries - like banking and finance - have stringent compliance and regulatory requirements that result in heightened security practices and training across the board, for all staff. And while they’re certainly ahead of other verticals, just about every organization on the planet could benefit from an in-house army of security-aware developers, all with a baseline ability to sniff out common security bugs before they’re committed. Most are nowhere near achieving this critical piece of the security program puzzle - and it’s necessary if we ever have a hope of securing the deluge of code that increases in volume year-on-year.
Preventative security should begin the moment fingers touch the keyboard to create software, but developers cannot be expected to bridge the security skills gap alone. They need the right toolset and contextual guidance to reach a higher standard of code quality, and the best results are always achieved when it’s part of their everyday work, not an afterthought that is sporadically rolled out whenever annual compliance requirements roll in.
A version of this article appeared as a feature for the Forbes Technology Council. It has been updated and syndicated here.
There is nothing quite like being on the wrong side of a data breach. At first, there might be denial, then panic. Once all the expletives have been aired and the CISO has had to do a 2am conference call with public relations, it’s time to roll up your sleeves and get to work on securing endpoints, systems, and quickly eliminating any potential attack vectors. It’s no picnic, to say the least.
And yet, this is a reality that will dawn on many organizations in the future, and one that absolutely must be prepared for with a comprehensive cybersecurity incident response plan. The problem, however, is that this reactive strategy is where much of the time, resources, and effort is concentrated, instead of working to prevent or reduce the potential severity of cyberattacks up-front. It’s a little bit like calling an ambulance for a suspected heart attack; the outcomes are often a lot less positive - not to mention more damaging - than if preventative health measures were in force before it was too late.
To that end, what does a preventative plan look like? Let’s explore how security pros can employ all the tools at their disposal to mitigate ever-increasing cyber risk, every day:
Understand the scope of work that lies ahead
It seems obvious, but the “right” plan to mitigate cyber risk does have nuances between industries, and it’s important to understand what is needed up-front to reach the desired outcome.
What security problems currently exist? What time and resources are they taking up? How many of them are recurring issues? These are important factors, and will give you a foundational starting point. Consider any roles that need filling, gaps in tooling, and what is needed from an expertise and tool perspective to secure endpoints and reduce the attack surface, while preempting other areas of potential risk.
A recent report revealed that eleven industries saw a serious vulnerability, across at least half of their applications, every day for the past year. In particular, the utilities, public administration, and professional services industries took 288 days on average to patch known vulnerabilities. This is incredibly slow, giving an attacker more than enough time to do serious damage if those vulnerabilities are discovered before a patch can be applied. This, coupled with the probability of organizations experiencing a data breach approaching 30%, is a sobering reminder that incident reaction is not enough, and the stakes are simply too high to brace for the impact of a large-scale cyberattack and hope for the best.
Prepare to get buy-in for cultural change
Shaking up the status quo does tend to raise a few eyebrows, but the truth is, security programs should be in a constant state of continuous improvement. Every component should stay relevant, and new developments should be assessed and factored in.
Placing emphasis on a preventative - as opposed to reactive - approach may not be widely understood outside of the security team, especially if a big, bad, security incident has not taken place. It might be seen as something that isn’t broken and doesn’t need fixing. In this instance, getting executive buy-in is essential. Some of the more pertinent points for them to consider are:
- The time and cost savings in preventative measures, such as role-based training and related tools, as opposed to the potential cost of a critical incident
- How finding and fixing vulnerabilities now keeps releases on time, with fewer showstoppers from the security team
- Why preparing for and preempting potential security risks, from the development team right through to release, saves more time (no to mention significant cash) overall. To put it into perspective, late-stage vulnerabilities uncovered in the testing phase - or worse, post-production - can raise costs as much as 3000% on average.
It’s vital that proposed cultural changes are aligned with business goals, even if they seem uncomfortable at first.
Security awareness is something, security skills are everything
As an industry, we talk frequently about the importance of security awareness, and this is an increasingly critical component of every member of staff in an organization. However, it is not enough to stop at lip service and passive training, especially for those in technical positions.
Put simply, anyone who is touching code is a potential security risk if they’re not equipped with the skills to code securely. General awareness of basic security parameters is a good start, but without contextual knowledge of good, secure coding patterns, poor habits prevail, and it’s this lack of quality development skill that attackers rely upon to do their dirty work.
Don’t write off your developers.
Though the attitude is shifting, many organizations are structured in such a way that developers are rarely a true consideration in security mitigation plans. Some industries - like banking and finance - have stringent compliance and regulatory requirements that result in heightened security practices and training across the board, for all staff. And while they’re certainly ahead of other verticals, just about every organization on the planet could benefit from an in-house army of security-aware developers, all with a baseline ability to sniff out common security bugs before they’re committed. Most are nowhere near achieving this critical piece of the security program puzzle - and it’s necessary if we ever have a hope of securing the deluge of code that increases in volume year-on-year.
Preventative security should begin the moment fingers touch the keyboard to create software, but developers cannot be expected to bridge the security skills gap alone. They need the right toolset and contextual guidance to reach a higher standard of code quality, and the best results are always achieved when it’s part of their everyday work, not an afterthought that is sporadically rolled out whenever annual compliance requirements roll in.
Cliquez sur le lien ci-dessous et téléchargez le PDF de cette ressource.
Secure Code Warrior est là pour aider votre organisation à sécuriser le code tout au long du cycle de développement logiciel et à créer une culture dans laquelle la cybersécurité est une priorité. Que vous soyez responsable de la sécurité des applications, développeur, responsable de la sécurité informatique ou toute autre personne impliquée dans la sécurité, nous pouvons aider votre organisation à réduire les risques associés à un code non sécurisé.
Afficher le rapportRéservez une démo
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article appeared as a feature for the Forbes Technology Council. It has been updated and syndicated here.
There is nothing quite like being on the wrong side of a data breach. At first, there might be denial, then panic. Once all the expletives have been aired and the CISO has had to do a 2am conference call with public relations, it’s time to roll up your sleeves and get to work on securing endpoints, systems, and quickly eliminating any potential attack vectors. It’s no picnic, to say the least.
And yet, this is a reality that will dawn on many organizations in the future, and one that absolutely must be prepared for with a comprehensive cybersecurity incident response plan. The problem, however, is that this reactive strategy is where much of the time, resources, and effort is concentrated, instead of working to prevent or reduce the potential severity of cyberattacks up-front. It’s a little bit like calling an ambulance for a suspected heart attack; the outcomes are often a lot less positive - not to mention more damaging - than if preventative health measures were in force before it was too late.
To that end, what does a preventative plan look like? Let’s explore how security pros can employ all the tools at their disposal to mitigate ever-increasing cyber risk, every day:
Understand the scope of work that lies ahead
It seems obvious, but the “right” plan to mitigate cyber risk does have nuances between industries, and it’s important to understand what is needed up-front to reach the desired outcome.
What security problems currently exist? What time and resources are they taking up? How many of them are recurring issues? These are important factors, and will give you a foundational starting point. Consider any roles that need filling, gaps in tooling, and what is needed from an expertise and tool perspective to secure endpoints and reduce the attack surface, while preempting other areas of potential risk.
A recent report revealed that eleven industries saw a serious vulnerability, across at least half of their applications, every day for the past year. In particular, the utilities, public administration, and professional services industries took 288 days on average to patch known vulnerabilities. This is incredibly slow, giving an attacker more than enough time to do serious damage if those vulnerabilities are discovered before a patch can be applied. This, coupled with the probability of organizations experiencing a data breach approaching 30%, is a sobering reminder that incident reaction is not enough, and the stakes are simply too high to brace for the impact of a large-scale cyberattack and hope for the best.
Prepare to get buy-in for cultural change
Shaking up the status quo does tend to raise a few eyebrows, but the truth is, security programs should be in a constant state of continuous improvement. Every component should stay relevant, and new developments should be assessed and factored in.
Placing emphasis on a preventative - as opposed to reactive - approach may not be widely understood outside of the security team, especially if a big, bad, security incident has not taken place. It might be seen as something that isn’t broken and doesn’t need fixing. In this instance, getting executive buy-in is essential. Some of the more pertinent points for them to consider are:
- The time and cost savings in preventative measures, such as role-based training and related tools, as opposed to the potential cost of a critical incident
- How finding and fixing vulnerabilities now keeps releases on time, with fewer showstoppers from the security team
- Why preparing for and preempting potential security risks, from the development team right through to release, saves more time (no to mention significant cash) overall. To put it into perspective, late-stage vulnerabilities uncovered in the testing phase - or worse, post-production - can raise costs as much as 3000% on average.
It’s vital that proposed cultural changes are aligned with business goals, even if they seem uncomfortable at first.
Security awareness is something, security skills are everything
As an industry, we talk frequently about the importance of security awareness, and this is an increasingly critical component of every member of staff in an organization. However, it is not enough to stop at lip service and passive training, especially for those in technical positions.
Put simply, anyone who is touching code is a potential security risk if they’re not equipped with the skills to code securely. General awareness of basic security parameters is a good start, but without contextual knowledge of good, secure coding patterns, poor habits prevail, and it’s this lack of quality development skill that attackers rely upon to do their dirty work.
Don’t write off your developers.
Though the attitude is shifting, many organizations are structured in such a way that developers are rarely a true consideration in security mitigation plans. Some industries - like banking and finance - have stringent compliance and regulatory requirements that result in heightened security practices and training across the board, for all staff. And while they’re certainly ahead of other verticals, just about every organization on the planet could benefit from an in-house army of security-aware developers, all with a baseline ability to sniff out common security bugs before they’re committed. Most are nowhere near achieving this critical piece of the security program puzzle - and it’s necessary if we ever have a hope of securing the deluge of code that increases in volume year-on-year.
Preventative security should begin the moment fingers touch the keyboard to create software, but developers cannot be expected to bridge the security skills gap alone. They need the right toolset and contextual guidance to reach a higher standard of code quality, and the best results are always achieved when it’s part of their everyday work, not an afterthought that is sporadically rolled out whenever annual compliance requirements roll in.
Table des matières
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior est là pour aider votre organisation à sécuriser le code tout au long du cycle de développement logiciel et à créer une culture dans laquelle la cybersécurité est une priorité. Que vous soyez responsable de la sécurité des applications, développeur, responsable de la sécurité informatique ou toute autre personne impliquée dans la sécurité, nous pouvons aider votre organisation à réduire les risques associés à un code non sécurisé.
Réservez une démoTéléchargerRessources pour vous aider à démarrer
Sujets et contenus de formation sur le code sécurisé
Notre contenu de pointe évolue constamment pour s'adapter à l'évolution constante du paysage du développement de logiciels tout en tenant compte de votre rôle. Des sujets couvrant tout, de l'IA à l'injection XQuery, proposés pour une variété de postes, allant des architectes aux ingénieurs en passant par les chefs de produit et l'assurance qualité. Découvrez un aperçu de ce que notre catalogue de contenu a à offrir par sujet et par rôle.
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
Ressources pour vous aider à démarrer
Cybermon est de retour : les missions d'IA Beat the Boss sont désormais disponibles à la demande
Cybermon 2025 Beat the Boss est désormais disponible toute l'année dans SCW. Déployez des défis de sécurité avancés liés à l'IA et au LLM pour renforcer le développement sécurisé de l'IA à grande échelle.
Explication de la loi sur la cyberrésilience : ce que cela signifie pour le développement de logiciels sécurisés dès la conception
Découvrez ce que la loi européenne sur la cyberrésilience (CRA) exige, à qui elle s'applique et comment les équipes d'ingénieurs peuvent se préparer grâce à des pratiques de sécurité dès la conception, à la prévention des vulnérabilités et au renforcement des capacités des développeurs.
Facilitateur 1 : Critères de réussite définis et mesurables
Enabler 1 donne le coup d'envoi de notre série en 10 parties intitulée Enablers of Success en montrant comment associer le codage sécurisé à des résultats commerciaux tels que la réduction des risques et la rapidité pour assurer la maturité à long terme des programmes.
