From the Editors: Programmers against sloppy security
By SD Times News Team
April 1, 2009 —
(Page 1 of 2)
No honest software developer sets out to write insecure software. Every architect, every programmer, every tester sincerely believes that the code is solid, bug-free and safe.
Yet, of course, we know better, because systems and applications are not secure. Sometimes the architect’s design is flawed. Sometimes the programmer makes assumptions that prove to be false, or forgets to check a buffer or return value. Sometimes a typo creates a vulnerability. Sometimes the testers fail to imagine the creativity of an attack. And sometimes the vulnerability is caused by a dependency that nobody understood.
Consultants and security tools providers, like the well-meaning experts at Cigital and Fortify, are right to continue focusing on this issue. They’re right to offer training and products that can help architects design more secure software, help programmers write more secure software, and help testers spot vulnerabilities that the architects and programmers missed.
To the array of security-awareness tools, we now have the new Building Security In Maturity Model. This initiative has two goals: one spoken, one understood. The spoken goal is to raise awareness. The unspoken goal, of course, is to raise those companies’ visibility and get them more clients and software sales.
The “Building Security In” phrase, in particular, is one that Cigital CEO Gary McGraw has used as a book title and as the topic of numerous lectures and keynotes. It’s a good message, one that needs to be heard.
There are two basic approaches to software security. One is to get software developers to write and deploy more secure software. That’s a never-ending battle, akin to preventing automobile accidents by getting drivers to be more careful. Education can help, but just as no amount of driver’s ed will prevent cars from smashing into each other, no amount of developer training will eradicate all software security defects.
The second approach is to count on tools to protect us from the effects of insecure software. That’s where enterprise IT tends to focus, as it keeps on buying more firewalls, a spam filter, a virus scanner or a source-code analyzer. That too is a never-ending battle, similar to buying cars with more and more airbags, anti-lock brakes, traction control systems, lane-change warnings, backup cameras and so on. These IT security products surely help, but there’s no way they will catch everything that sloppy programmers and malicious hackers toss at the data center.
Related Search Term(s): editorials, security
Share this link: http://sdt.bz/33366
Most Read Latest News Blog Resources
Zeichick’s Take: Radio moves from analog waveforms to digital packets
Streaming radio highlights the need for streaming applications to be designed to take up as little bandwidth as possible
|
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Appcelerator Acquires Cocoafish to Add Instant Mobile Cloud Capabilities to its Industry Leading Titanium Platform
Appcelerator Offers Messaging, Social, Location and Storage Mobile Cloud Services to All Mobile App Publishers
|
|
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles
|
|
Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions
|
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
|
|
Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
|
|
RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
|
|
GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
|
The Hidden Costs of Software Licensing
Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...
|
|
Case Study: You May Need a Development Mechanic
As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...
|
|
Ensuring Software Quality at a Major International Bank
One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...
|
|
Load Testing Adobe Flex Applications
Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...
|