About Thawte

News

Compliance does not always translate to effective security

Many organizations must adhere to regulatory mandates, but it is also important to understand that compliance does not always translate to security. One trap that many companies fall into, according to TechTarget contributor Dan Cornell, is relying solely on a compliance checklist to protect their digital assets. Matching implementations against the Payment Card Industry Data Security Standard (PCI-DSS) and other mandates can protect organizations from many threats. However, companies must think beyond a simple checklist and shift toward a more comprehensive computer security framework.

Cornell highlighted the Open Software Assurance Maturity Model. In addition to exploring 12 areas that are critical to software security, OpenSAMM encourages an evaluation of each organization's unique needs and continuous improvement.

"Many organizations do not have a handle on the scale of the problem - how many teams, how many applications, what measures are currently in place. OpenSAMM lets an organization look at the different assurance activities they have in place," Cornell wrote. "It shows how comprehensive their approach is to these activities. Organizations should aim to move beyond the 'all or nothing' approach mandated by a PCI compliance checklist."

OpenSAMM emphasizes the importance of flexibility. There is no one-size-fits-all approach to effective security and even needs within one organization can change over time. As a result, it is important to account for shifting organizational needs, making additional investments and changing security practices when necessary.

A multi-faceted process
One advantage of the framework is that it approaches secure software development from multiple angles. By first looking at existing governance practices, businesses can not only determine whether they are compliant, but how effective their strategies are overall. This will likely lead to the creation of new policies and practices, which must then be tested to ensure they yield the intended results. Following the paradigm laid out by OpenSAMM also encourages frequent improvement of existing solutions even as new ones are adopted.

For example, using code signing certificates is a common approachfor businesses to increase trust in their software. While implementation can raise user confidence by verifying the source of software, it is also important to renew certificates on a regular basis to ensure that the technology continues to meet best practices and has been incorporated into new software.

One of the dangers of looking at compliance from a checklist perspective is that it is easy to miss best practices and unnecessarily expose software to new risks. When implementing code signing certificates, it is important to keep a separate infrastructure for testing so that pre-release code is only trusted on systems with access to the test certificate authority.

Build trust in your software by getting a code signing certificate from Thawte today.

corporate office

Thawte
The Gateway
Century Lane
Century City, 7441
Cape Town
South Africa

Postal Address:
P O Box 15986
Panorama 7500
Cape Town
South Africa

Call: +27 21 819 2200
Fax: +27 21 819 2950

Thawte is a leading global Certification Authority. Our SSL and code signing digital certificates are used globally to secure servers, provide data encryption, authenticate users, protect privacy and assure online identifies through stringent authentication and verification processes. Our SSL certificates include Wildcard SSL Certificates, SAN /UC Certificates, SGC SuperCerts and Extended Validation SSL Certificates.

What is an SSL Certificate Which SSL Certificate is Right for Me? Why Choose Thawte?