WASHINGTON – As more people keep vital personal, financial, and health information online, the ability of networks to fend off attacks has taken on new importance because everyone’s private data is potentially at risk.
At a gathering of the Open Web Application Security Project this week, innovators from the financial services, media, pharmaceuticals, health care, and technology community came together to discuss how to improve security and manage risk involved with expanding networks.
Right now, there are no minimal standards of practice in the information security industry, said Joe Jarzombek, director of software assurance at the National Cyber Security Division of the Department of Homeland Security in his keynote address.
“In other industries, there are shared risks,” Jarzombek said. “For the most part, [in the software industry], all the risk is on the consumer side.”
Security breaches present devastating consequences for consumers who place their trust in software providers and electronic networks to safely and securely store their data and information.
Take the health care industry as an example.
A report by the Markle Foundation, a non-profit information technology policy organization, found that the number one priority of health care information technology, beyond improving quality and reducing costs, is protecting privacy.
According to the report, “consumers, patients, and their families should benefit … through improved access to personal health information without sacrificing their privacy.”
The report also recommended that privacy and security requirements should be practically applicable without creating “unrealistic software upgrade” requirements. In other words, health care networks have to balance privacy with the everyday reality of running large, complex computer networks.
“Every day more information is out on networks,” said Jeff Williams, the CEO of Aspect Security and the volunteer chair of the OWASP board. “Risk is increasing because of the value of networks…It is increasing at an alarming rate.”
In June, an anonymous poster linked to allegedly sensitive records belonging to the telecommunications provider T-Mobile. According to Consumeraffairs.com, the alleged culprit posted records to Full Disclosure, a mailing list for security professionals, on June 6.
As the network security community wrestles with issues like this, the challenge will be in involving more people to solve problems faster.
“We’re trying to reach out to developers, testers and quality assurance staff because they are pivotal to solving the root causes of application security problems,” said Mark Bristow, member of the OWASP Global Conferences Committee.
The group plans to continue its problem-solving agenda at meetings around the world in 2010.