To Centurion Information Security, cybersecurity always come first. The Singapore-based penetration testing and security advisory firm met up with HackwareNews team to share their invaluable experience on the ever-changing cyber-security world.
Sunny Neo, senior consultant of Centurion, told HackwareNews that there was still room for improvement in the cybersecurity mindset of Singapore-based companies.
“More than often, Singapore-based companies engaged our services for penetration testing at the last stage of their project development,” observed Neo.
The Early Bird Catches the Worm
Relying on security testing only towards the end of the project completion phase often results in needing to rectify security flaws found at the last minute. This could possibly require re-designing, coding and quality testing all over again; all of which are timely and costly. In some instances, a delay in a new product launch would even cause an organisation to lose their competitive edge within their market.
To Neo, the best solution would be for organisations to incorporate cybersecurity throughout the different project milestones. This could include consultancy during the planning phase, secure design/code reviews during development, and finally vulnerability assessment and penetration testing.
Identifying and understanding possible risks earlier would allow security controls to be implemented concurrently with the system from the ground up. This would also save effort and cost for the organisation.
Secure by Design
“Secure by design, is what we want to achieve during project development,” opined Neo.
However, not many firms are able to fully attest to this statement, “secure by design”, especially among the small and medium enterprises (SMEs) as compared to the larger, established financial institutions based in Singapore.
“SMEs have generally not picked up the cyber-security mindsets as compared to the banks,” Neo told HackwareNews.
In his opinion, apart from the Personal Data Protection Act (PDPA) in Singapore, cybersecurity regulations are fairly new – such as the recent cybersecurity bill proposed in 2017. Hence most industries are less mature than their counterparts in the financial industry when it comes to cybersecurity.
In contrast, banking and finance industries are heavily regulated and are required to comply with the Technology Risk Management (TRM) implemented by the Monetary Authority of Singapore (MAS). This has led to more awareness and better implementation on their part, including the development and publication of the Penetration Testing Guidelines for the Financial Industry in Singapore by The Association of Banks in Singapore (ABS).
Prevention is Better Than Cure
Neo often used the phrase, “Security is not a job but a lifestyle” – a value held by the Centurion Security consultants. They believe that cybersecurity-conscious firms and personnel constantly need to keep up with the latest trends and technology.
Questions like, “How can we breach this system, before they are actually being breached” must be asked to make sure that they remain on top of their game.
Solving the Talent Shortage
In this aspect, Centurion wants to do its part by conducting training and workshops, targeted at software developers and project managers to provide updates on the latest buzz in the cybersecurity ecosystem. Firm believers in contributing back to their industry, they are involved in various activities with this goal in mind.
Keen on sharing knowledge, Centurion often speaks at events within the cybersecurity community. Most notably, Centurion’s Principal Consultant, Ryan Baxendale, presented on “Microservices and FaaS for Offensive Security” at the 2017 DEF CON Conference – the world’s longest running and largest underground hacking conference, in Las Vegas.
Beyond that several Centurion consultants are also Adjunct Lecturers teaching at several polytechnics in Singapore, exposing students to real-world cybersecurity issues. Recently, the company is also sponsoring students to attend the upcoming security conference “Infosec in the City”.
After all, Neo believes that cyber-security is one big community where participants share tools and learn new techniques to grow together. This mindset was also in line with Centurion’s core values of educating, doing research, and offering bespoke consultancy services to organisations ranging from SMEs, to MNC across different sectors and even to different government entities.