Author: Ross Moore

What Does Data Loss Prevention Do?

Throughout 2023, a private research university discovered multiple breaches of its data. In August 2023, an American educational technology company found that millions of its users’ email addresses had been scrapped. In early October 2023, a genetic testing company had about one million fields of user data stolen. 

We don’t know if data loss prevention (DLP) technology played a part in the discovery of the activity involved in these and other breaches, but these breaches highlight the vital importance of knowing where data goes, when — all those W questions. 

Everyone wants to stop threats. They really do. No one wants someone to break into their home or car. Nobody wants to be accosted on the street. We all want a safe environment wherever we go. But we have to hope for the best and prepare for the worst (and prepare to be surprised!).

It’s the same with apps. No business wants its web or mobile apps to be under fire. It would be great if all the criminals would either honor the purpose of the apps and just leave them be, or simply not notice. 

What Is a Vulnerability?

Sometimes, vulnerabilities are straightforward flaws due to bad design. For example, the Tacoma Narrows Bridge in the state of Washington was built in 1940 and collapsed later that year in a 40-mph wind due to poor construction. No lives were lost (the suspension bridge underwent reconstruction in 1950 and is still standing). 

Sometimes, though, vulnerabilities are part of the actual design. Consider door locks. A door lock is not flawed because it can be unlocked. There’s no inherent design flaw in how the pins and tumblers are precision-crafted and laid out. The issue is not that the structure is poor, but their structure and precision design provide a consistent way for would-be thieves to know how to pick them. (For more information on locksport, one good organization is TOOOL).

The Burgeoning of DDoS Attacks

Distributed Denial of Service (DDoS) attacks are growing quickly, not simply in the number of attacks but also in intensity. In mid-2022,  Cloudflare blocked a 26 million rps (requests per second) DDoS attempt. That Cloudflare event was the largest DDoS attempt known until mid-August 2022, when Google blocked the largest known Layer 7 DDoS attempt, clocking in at 46 million rps. Check here for more DDoS attacks (so far) in 2022.

For a fascinating visual of DDoS attacks, look at NETSCOUT’s live map. 

Determine the Goals

In Bruce Lee’s famous movie, “Enter the Dragon,” there’s a scene of Bruce on the junk with the other contenders. One of them, Parsons, asks, “What’s your style?” Bruce answers, “The art of fighting without fighting,” after which he tricks Parsons onto the lifeboat, and Parsons is dragged in that boat behind the ship while the onlookers laugh.

Similar to the “What’s your style?” is “What’s your goal?” questions, there is no one right style, and there is no one right goal. Before testing APIs, determine the goals of testing; the goals of testing will help determine the tool specifications. Are there compliance standards to meet? What are the internal departmental and business goals? Are there contractual requirements? Does the SDLC require SAST and DAST to be applied? Does the CISO require RASP and IAST? Define and document the requirements. Remember – if it isn’t documented, it doesn’t exist.