How the New Retailers' Security Knowledge Base Will Benefit Testers
With the growing online activity that involves a user’s sensitive data—credit card details, health records, login information, or any other personal identifiable information—cyber security is becoming increasingly vulnerable by the day. Not too long ago, we heard about Target’s CEO resigning after taking responsibility for the security breaches that his organization faced in late 2013.
We hear about all the sophisticated ways in which hackers attack and compromise online systems, but the truth is that all of this is just beginning. Online retail sales in the United States were estimated to be just 5.8 percent of the overall retail domain’s worth in the second quarter of 2013. If so, imagine the scope for hackers to further target vulnerable systems as these numbers go up.
In an initiative to proactively curb cyber attacks, a group of organizations has come together to create a forum called the Retail Cyber Intelligence Sharing Center. Retailers such as Lowe’s, Nike, and Target formed this center with the goal of identifying newer threats, sharing input on how to mitigate them, and providing tips on what to watch out for. Security is a very dynamic landscape, and having a forum such as this will greatly help several entities—especially software testers looking for newer tests and scenarios to account for in their security testing efforts.
Security tests are often very challenging to put together, are vast in scope, and may take hours of effort without significant results. The Retail Cyber Intelligence Sharing Center may discover useful information about how to test for specific attacks and how to do so without impacting a live environment, which would be invaluable to the testing community. Granted, sources such as OWASP continue to be a great knowledge base for the latest and greatest in the security world, but a forum such as the sharing center will take security testing to the next level by getting hands-on input from organizations based on their experience.
For this initiative to succeed, though, a few important things must happen. First, organizations should be Good Samaritans in sharing valuable information without fear of feeling let down and being looked down on if they were transparent. Unless this happens, the resource center will soon become just a namesake that holds static information that is not very current.
Second, one or two member organizations will need to be identified as moderators to regulate activity on the forum, ideally on a rotational basis.
And finally, access to information within the forum needs to be restricted and monitored. If this becomes free information available for everyone to access, hackers surely will be regular visitors reading the suggestions on the forum and looking for ways to exploit them.
With some of these factors taken into account, this center will certainly be a welcome one in the world of cyber security. It is definitely worth all the applause for the organizations that have bootstrapped it.