What’s your current approach to preventing data injection into your commands framework? Do you place more focus on secure coding practices, testing, patching, user input validation or something else altogether?

Security & GRCData Privacy & Protection
2.3k viewscircle icon1 Upvotecircle icon3 Comments
Sort by:
Chief Information Security Officer in Healthcare and Biotech2 years ago

We mostly focus on securing code, testing and patching etc. But now have taking few small step especially on the API site for data injection. 

CIO in Retail2 years ago

More focus on secure coding practices and testing as a primary approach.

Chief Technology Officer in Education2 years ago

I don't have any paricular security credentials but will share my approach from a software engineering standpoint.  My simple answer would be "yes" to your second question.  What I mean is that you need all of these approaches and security is really a multi-layered approach.  Security training and secure coding practices is critical (and a requirement for many cloud certifications like SOC2).  Testing and hopefully automated testing is key to this.  You want a broad set of test cases that can be run in an automated fashion.  I could go on and on about different things (static code analysis, dyamic web scans) that can be further leveraged too.  There's a lot more so this isn't all encompassing.

Patching is your last resort.  That means something bad got in the wild.  Think of it that your dev cycle starts with dev on the left and flows into production on the right.  Patching in production is your most expensive endeavor.  The further left in the cycle that you can catch the issue, the cheaper the resolution for your organization.  

With all of this being said, the neat thing is we're in a world where soooo much of this can be automated in a CICD pipeline.  So, it sounds like a lot but if you have a CICD pipeline, these tools can all be plugged in.  Another interesting concept I'd read about around this idea is DevSecOps.

Lots of information but I had to cut myself off too - hope it all helps.

Content you might like

Which best describes your knowledge of the number of IoT devices (both managed and unmanaged) in your system’s network?

I know the exact number19%

I don't know the exact number, but have a dashboard that can tell it to me.62%

We don't have a way to determine that number currently.18%

View Results

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?

With AI adoption accelerating across enterprises, what do you view as the top information security challenge that leaders should address? How can CISOs, VPs and Director’s align governance, risk and security investments to enable AI innovation without creating new exposures?

Do you have a lock out policy for system accounts? If so, how many attempts do you have it set too? 

Have you considered not having a lock out policy where accounts are vaulted / rotated & standing access is removed?

In the past 6 months, have you seen an uptick in targeted cyberattacks on telehealth devices and networks?

No Increase17%

1-5% increase46%

6-25% increase24%

26-50% increase7%

51-75% increase1%

76%+1%

Other2%

View Results