LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

 

Events calendar tab
Macworld 2010
2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010
2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)
2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo
2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse
2/21/2010 to 2/24/2010
Las Vegas
IBM


 
print Printable version 
Most Read Latest News Blog Resources
Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Syncfusion announces component suite for .NET 4
Essential Studio 2010 has business intelligence, reporting and UI controls, ready for .NET...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

Industry Watch: Opening the door ... carefully


By David Rubinstein
December 1, 2008 — 
Application and IT security has been thought of as a gate and a guard, a way to keep hackers at bay and to protect intellectual property. But IBM’s Kris Lovejoy, director of corporate security strategy, sees security as an enabling technology, a way to let the good guys in to facilitate business.

“If you ask a CIO what he wants his company to be when it grows up, he’ll tell you he wants a globally integrated enterprise. He wants access to new markets, to take advantage of offshore suppliers with lower cost structures, to move employees to teleworking, to reduce brick-and-mortar locations, and to let consumers access their products and services with smart devices,” she said.

But in order for that to happen, Lovejoy said, security functionality must be baked into the architecture and the development process.

Lovejoy presented IBM’s Security Technology Outlook at the company’s recent Security Summit. The paper offers a specific dive into the technology set required for high-level company executives to achieve their goals. It’s based on surveys and other data gathered from such executives and is available at IBM's website.

One of the nine trends cited for application development (many of the trends look at security from an IT standpoint) discusses the predictable security of applications. Lovejoy described this as common sense for risk management. “To have a securely built application, you need a good process about how you build it, how you test it and how you release it,” she said. “You need to implement a security policy and require developers to adhere to that policy.”

What you end up with, Lovejoy explained, is a beefed-up release management process with vulnerability testing and greater QA.

From an application development policy process, Web 2.0 and its composite applications have allowed vulnerabilities to be introduced into production environments much more quickly  than was the case in the past. Composite applications “have been great for developer efficiency,” Lovejoy said, “but who’s to say that’s a good widget they’re grabbing?”

Developers, she said, often do not understand the composition of their applications and therefore don’t understand the security profile of those apps. “There’s usually testing after deployment, but by then it’s too late.”

Contributing to the problem is that in most organizations, there is a traditional governance flaw—governance in the sense of job roles and responsibilities.

Historically, companies just did not have security policies that covered preproduction environments. Security was always an afterthought—something for the IT guys to handle with firewalls, authentication keys and passwords.

But as hackers threatened the integrity of credit-card and smartcard transactions, the PCI Data Security Standard was written to specify that Web applications had to undergo a preproduction review. And now, Lovejoy said, developers are required to jump into the fray. “There’s now a recognition, from a risk management perspective, that you need to protect at the application layer.”

The need for security at the application level has led to the inclusion of security expertise in development tools and platforms, and to security checks at every possible point during development.

Yet if you ask developers over a beer what’s the first thing they do when they’re ready to compile code, the answer will be, “ ‘Shut down the antivirus.’ It eats up so much [of the] resources on a machine that the compile takes a long time,” Lovejoy said. “So developers have come to think of security as a bad thing because it slows them down.”

Organizations are also trying to counter the effects of security and compliance fatigue, she said. Every time a new regulation comes down the pike, an organization has to spend large sums of money on a point product to meet a single demand.

“Now they’re looking at their architectures and resources, and they see silos of technologies bought and applied in specific lines of business. There’s no way to measure the effectiveness of any of these solutions in a broad way," said Lovejoy.

So organizations are looking to rationalize their security decisions, asking what really matters and ridding themselves of the things they don’t need or that aren’t effective.

But companies won’t get to where they want to be without a coherent, enforced security policy that looks at both the physical layer and the application layer—and until they get buy-in from the development team.

David Rubinstein is editor-in-chief of SD Times.


Related Search Term(s): security


Share this link: http://www.sdtimes.com/link/33073
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading