“Dennis Hughes, first chief of the FBI’s computer investigations unit, was once noted to say, ‘The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one”
With computers, newly discovered vulnerabilities are called Zero-Day Exploits. Vulnerabilities are shared among hacker communities and kept a secret from the developers of software as long as possible. These exploits can act as a secret doorway into many servers. If the developers had known about them, they would have tried to shut that door. The name Zero-Day Exploit comes from the fact that the developer has had “Zero days” of awareness of the problem, and therefore zero days to work on the solution or fix.
So, when we say that a computer is secure, what we mean is that we have taken all precautions for all known threats below a certain threshold. It is about the weakest link in the chain. With new web technologies coming every day, that chain is often changing.
If you rate the security for every aspect of your website on the rate of 1 to 10, and you have rated most of them as 9 and couple of them 6, then the overall security has to be 6. If you instantly upgrade a piece of software and that introduces a new Zero-Day Exploit, then your security level just dropped down to the level of that exploit.
But we don’t actually need 100% security. So how much do we need?
Our level of security should be in proportion to our needs and goals. For example: If I have $100, I don’t need to construct a high-security vault to protect it. I can keep it in my cupboard, lock the door, lock the house and be happy that it is secured. But if I had 100 million $, then probably I will not just trust the lock of my house. I want a more secure system in place to protect such a huge amount. Because the impact is greater if the security is compromised. So I will be willing to invest time and money to set up more secured infrastructure.
Also, it is important to execute the security you need really well. Do not compromise on cost and time if you need a certain level of security.
Curious where you stand? Fill in our free assessment and get some suggestions to improve the security of your software development.