Security Standards#
Applying Standards and Best Practices#
Using well-established security standards and best practices is one of the simplest ways to reduce security risks. However, challenges with security standards are:
Too Many and Inconsistent Standards: Some standards are not that good and do not make sense.
Some standards are not open and are proprietary. You must pay to receive such a document and figure out how to implement the standards.
Some standards decrease your security baseline. Not all standards published are good and should be used.
Most standards are too high level and leave room for interpretation at implementation level. This has cause security breaches in the past and will cause security breaches in the future.
Some government certifications require compliance with non open security standards. This is a shame! Security standards should be open and freely accessible (e.g., under a CC-BY license) and include clear examples for implementation.
Tip
A good security standard is open (cc-by) and has examples for implementation.
Beyond Standards: Best Practices or Bad Practices
While security professionals often use best practices, these can be subjective and vary by context. A more reliable approach is to avoid bad practices. The OWASP Top 10 list is a helpful resource that identifies common security vulnerabilities to avoid.