Zeichick's Take: Learning from LexisNexis
From the September 29th edition of News on Thursday
October 1, 2005 —
(Page 1 of 2)
For the past several weeks, we've been working on the technical program for next February's Software Security Summit. We've finally nailed it all down, and as of today, you should be able to see the entire class listing online at www.S-3con.com. (S-3Con is produced by BZ Media, which publishes this newsletter.)
What struck me while reviewing the final program, is how many ways that vulnerabilities can get into an application. Sometimes you have to look at the forest, not the trees; sometimes you have to look at the trees, instead of the forest. And sometimes you have to look at the a specific leaf, branch or root.
For example, one way to introduce vulnerabilities is to neglect to properly code a buffer to handle an accidental or malicious overflow. Many documented Web exploits leverage unchecked buffers. The place to fix that would be at the code level; it's not an architectural or design flaw, so architects or designers wouldn't be able to plan for it.
Yet sometimes the problem is a big-picture issue. For example, Web services and SOAs entail many hand-offs between one application and another, and they generally make implicit assumptions about the security of the transport, or the presence of an authentication/authorization system, or some such. Here, security needs to be provided at the infrastructure level, but its presence must be enforced- enforced!-by the applications themselves.
A good rule of defensive programming is, "you can't assume that the other program took care of the security." But architects and designers make that assumption all the time, and don't mandate that the individual pieces of the application most actively participate in the security scheme. Since it's not in the design, it's not in the requirements, and so it doesn't get built or tested.
But a bigger problem isn't the forest, but the forest ranger: Too few dev teams are taking security seriously-as seriously as hitting the release dates, or meeting all their functional requirements.
Share this link: http://sdt.bz/28898
Most Read Latest News Blog Resources
Zeichick’s Take: Radio moves from analog waveforms to digital packets
Streaming radio highlights the need for streaming applications to be designed to take up as little bandwidth as possible
|
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Appcelerator Acquires Cocoafish to Add Instant Mobile Cloud Capabilities to its Industry Leading Titanium Platform
Appcelerator Offers Messaging, Social, Location and Storage Mobile Cloud Services to All Mobile App Publishers
|
|
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles
|
|
Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions
|
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
|
|
Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
|
|
RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
|
|
GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
|
The Hidden Costs of Software Licensing
Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...
|
|
Case Study: You May Need a Development Mechanic
As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...
|
|
Ensuring Software Quality at a Major International Bank
One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...
|
|
Load Testing Adobe Flex Applications
Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...
|