LOGIN | REGISTER NOW | SUBSCRIBE
 
Print

Major software makers fail security transparency test


By David Worthington


 David Worthington
Email
April 24, 2009 —  (Page 1 of 2)
A majority of the industry's leading software makers surveyed by SD Times lack transparency about the internal principles that they use for writing secure software. Analysts believe that those companies are either practicing security by obscurity, do not adequately perform security practices during software development, or are simply unwilling to talk about it.

In March, we threw down the gauntlet and challenged leading software companies and organizations to show us what they are doing to write secure software. Not one of the 23 companies and organizations that we listed responded, and in a follow-up in April, only four provided us with answers.

The question was inspired by the publication of Microsoft's Security Development Lifecycle software security assurance process in 2004, as well as the company's subsequent steps to share that blueprint with developers within enterprises or third-party application firms.

Microsoft does not ship software unless it has been put through the SDL process, and it credits the process for markedly reducing security vulnerabilities in its products.

Adobe, Amazon.com, the Apache Software Foundation, Apple, CollabNet, the Eclipse Foundation, the Free Software Foundation, IBM, Intel, the Linux Foundation, Oracle, Red Hat, Software AG, Sun Microsystems, Sybase, VMware and Yahoo did not respond to our inquiry. Nokia and Salesforce.com acknowledged the request but were unable to provide comment by deadline.

"There is such a disconnect between security experts and application development professionals that they probably lack the ability to respond in a coherent manner," said Mike Gualtieri, a senior analyst with Forrester Research.

"Security at many firms is done after the software development life cycle. Also, they probably don't want to reveal their app dev security process because it could be sub-par to where it should be and encourage hackers to attack, attack, attack."

Google has published a security resource on its Security and Privacy page for Google Apps. That resource includes a white paper that provides information about Google's general organizational and operational security practices to customers, partners and users, said spokesperson Jay Nancarrow.


Related Search Term(s): security

Pages 1 2 


Share this link: http://sdt.bz/33432
 
Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter



Comments


04/24/2009 06:24:36 PM EST

Do you really believe The Linux Foundation is practicing security through obscurity or any other Open Source project/company?

United StatesRichard Chapman


05/20/2009 05:10:53 PM EST

@Richard I don't buy that argument that 'more eyes' automatically means more security. The requirements that go into developing the software, and the tools that are used matter regardless of the methodology.

United StatesDavid Worthington


close
NEXT ARTICLE
Cigital Develops Ready-to-Use Tools for Securing the Smart Grid
Cigital Inc. announced the release of the Guide to Developing a Cyber Security and Risk Mitigation Plan Read More...
 
 
 




News on Monday  more>>
Android Developer News  more>>
SharePoint Tech Report  more>>
Big Data TechReport  more>>

   
 
 

 


Download Current Issue
JUNE 2013 PDF ISSUE

Need Back Issues?
DOWNLOAD HERE

Want to subscribe?


 
 
 
 

Events calendar tab
Mobile Commerce World
6/24/2013 to 6/26/2013
San Francisco
UBM TechWeb
USENIX Federated Conference
6/24/2013 to 6/28/2013
San Jose, Calif.
USENIX
Microsoft Build
6/26/2013 to 6/28/2013
San Francisco
Microsoft
Conf. on Big Data Security
7/17/2013 to 7/18/2013
Boston
MIS Training Institute
ACM SIGGRAPH
7/21/2013 to 7/25/2013
Anaheim, Calif.
ACM SIGGRAPH