This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Happy Developers Working on the product Not worried about the security standards or best practices Driven to deliver functionality Everybody loved the new product that fixed “that” gap
• Secure software vs robust, usable & functional software
• Security is considered as complex in the SDLC process
• Security is considered as non-functional requirement • Hackers are targeting businesses, not software • With Agile, the development teams are required to
develop functional systems in less time • Development team awareness on security is less &
• Security hinders usability • Security is performance hungry • Security is all about antivirus, firewalls, IPS etc… • Security is all about encryption • Security is for big companies • It is easy to fix a vulnerability once identified • Security is complex
1. Validate input 2. Heed compiler warnings 3. Architect and design for security policies 4. Keep it simple 5. Default deny 6. Adhere to the principle of least privilege 7. Sanitize data sent to other systems 8. Practice defense in depth 9. Use effective quality assurance techniques 10. Adopt a secure coding standard Source: https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
• Section 85: Offences by Companies – (1) Where a person committing a contravention of any of
the provisions of this Act or of any rule, direction or order made there under is a Company,
• every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:
• Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention
• In a typical cyber crime, investigators will search for the origin of the incident. Mostly, by tracing the IP Address of the computer involved – If the cyber crime source is the IP Addresses controlled by
your company, Sec 85 may become applicable on you. • How is that your company become part of a cyber
crime? – Malicious staff members – A hacked computer in your network which is used for
performing cyber crime on another company / computer • In such cases, your company may become the
• What happens in such scenario? Let us review Sec 85 again – Who is responsible? (Sub section (1) of 85)
• Every person who, at the time of contravention was committed, was in charge of, and was responsible to, The company for the conduct of business of the company (Head of IT / CEO??)
• As well as the company • Shall be guilty of the contravention and shall be liable to be
proceeded against and punished accordingly; – Provided that nothing contained in this subsection shall render
any such person liable to punishment if he proves that the contravention took place without his knowledge or that they exercised all due diligence to prevent such contravention
• Sensitive personal data or information of a person means such personal information which consists of information relating to;— – (i) password; – (ii) financial information such as Bank account or credit card or debit
card or other payment instrument details ; – (iii) physical, physiological and mental health condition; – (iv) sexual orientation; – (v) medical records and history; – (vi) Biometric information; – (vii) any detail relating to the above clauses as provided to body
corporate for providing service; and – (viii) any of the information received under above clauses by body
corporate for processing, stored or processed under lawful contract or otherwise
• A body corporate shall be considered to have complied with reasonable security practices and procedures, if ; – they have implemented such security practices and
standards and – have a comprehensive documented information security
programme and – information security policies that contain managerial,
technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business
• In the event of an information security breach, – the body corporate shall be required to demonstrate, as
and when called upon to do so by the agency mandated under the law,
– that they have implemented security control measures as per their documented information security programme and information security policies.
• The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard – That can be considered towards reasonable security practices
• The first step to Information Security is direction – Get your policies and procedures setup
• Next is awareness – Get your team undergo security awareness about your
policies & allowed practices
• Top Management / Founders – Invest in Secure products, security of your systems & data – Build a top down approach on information security culture – Assign compliance responsibilities – Add ITAA2008 perspective to the IS Audits