As someone who designs enterprise software for a living I find it strange now little detailed analysis available in the public domain there seems to be regarding major cyber attacks and security breaches. I do wonder how companies are supposed to learn from other's mistakes when the information is so rarely available?<p>There was an excellent analysis* of the recent BA credit card leak which prompted a great deal of internal debate into the level of exposure and risk, however this was conducted by a third-party analyst and not an official investigation.<p>https://www.riskiq.com/blog/labs/magecart-british-airways-breach/<p>However, this is rare and there have been several high-profile breaches which do not seem to have been so thoroughly investigated and the results published.<p>When an airliner crashes there is a forensic level investigation and the results are shared with the wider industry. At the end of the day it is in everyone's best interests, as not only do companies face financial losses compensating their customers, they also risk damage to brand reputation and ultimately fines from regulators.<p>What are people's opinions on the IT industry adopt a similar black box thinking approach to reporting the causes of security breaches.
Partner up with a security engineer/team. The mindset that creates is different from the mindset that destroys. The gap between enterprise software and security has a very wide gulf. Security exploitation might require intimate hardware details lower than understanding how the OS works, things such as understanding the architecture of CPU as we have seen with recent speculation attacks on CPU. Nevertheless, tons have been published on security.<p>Rule 1. Trust NO INPUT
Rule 2. Trust NO INPUT
Rule 3. Trust NO INPUT<p>Outside of being compromised due to bad inputs, the other vectors are either logical flow emanating from complex system with different moving pieces, or stemming from bad practices such as using poorly vetted libraries, encryption schemes, running on insecure platforms, etc.<p>As someone who works in both spaces, I can assure you that the there's a strong strain between the demands of enterprise to release their vague requirements to market and the demand of security to keep everything together. If you try to do both it's easy to end up with some blindness. Hire a security team, the airline engineers don't do the forensic, a different team does and tells them lessons learned.