Sixty percent of security breaches are internal to the organization and yet when we think about security we usually think about vulnerabilities, exploits, and so on. All the while, 60 percent of hacks are just from a person just logging into the system and taking whatever the hell they want. I’ve been thinking about this quite a bit recently. I spent a great deal of time researching security-related issues for a chapter of my upcoming book and unfortunately found very little on hardening internal systems.
Yes, there’s material about that too. But it seems that the vast majority is geared towards external threats rather than internal threats. I get that. Securing internally is hard, but it’s probably the most important thing we can do and it’s probably not as hard as many of us think. I’d like to preface this by stating that I’m not a security expert. The reason I’m writing this post is because most of us aren’t. So what can we “typical programmers” do to mitigate security risks?