Customer Security and Software Security

Wednesday, February 02, 2011

Danny Lieberman

959779642e6e758563e80b5d83150a9f

If you are an IT person, this article may be a waste of your time. But – if you are in the business of making and delivering products with software inside – read on.

What threats really count for your business?

No question is more important for implementing an effective security and compliance program for your product development.

The management, the software developers and security analysts cannot expect to mitigate risk effectively without knowing the sources and cost of threats to company products and the products’ users.

The prevailing IT security model predicates defense in depth of IT systems. The most common strategies are to mitigate external threats with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network. 

Are any of these security countermeasures likely to be effective in the long-term for software applications and software-based appliances? Can attacks on a software product be neutralized with defensive means only?

In other words, is there a “black-box” security solution for your products?

The answer is clearly no.

A reactive network defense tool such as a firewall cannot protect exploitation of software defects and an application firewall is no replacement for in-depth understanding of company-specific source code or product configuration vulnerabilities.

This paper presents a rigorous software development process for delivering secure software product starting with a simple notion – “buggy software is insecure software”.

By removing software defects we are in the best position to deliver secure software to our customers.

Download the full article Make your business secure by making your software secure

Cross-posted from Israeli Software

Possibly Related Articles:
9696
Vulnerabilities
Software Application Security Development Security Defense in Depth
Post Rating I Like this!
E376ca757c1ebdfbca96615bf71247bb
shawn merdinger Dilbert is so accurate at time.

http://www.dilbert.com/2011-02-03/
1296837461
959779642e6e758563e80b5d83150a9f
Danny Lieberman I love it.

Consider this little piece of computer history:

There was a sign over Ed DeCastro's desk at Data General - "Not everything worth doing is worth doing well".

In 1999 - DG was bought by EMC for $1BN and in 98 Compaq bought DEC for $10BN -

I guess there IS value for shareholders in doing things better.
1296934404
E376ca757c1ebdfbca96615bf71247bb
shawn merdinger Aside from the "biz case" pushing against security, I suggest it's worth mentioning that from a 50K-foot perspective, we security folks are just starting to scratch the surface of recognizing and addressing risks and attacks...

I like the medicine/security analogy often made, and personally I think security knowledge and techniques are akin to we're where modern medicine was 100 years ago.

Put another way, we're just staring to get folks to wash their hands, and are a long way from the security equivalent of say, mapping DNA.

For more on this train of thought:

"12 Monkeys - Germs"
http://new.wavlist.com/movies/151/12m-germs.wav

Wikipedia: Ignaz Semmelweis
http://en.wikipedia.org/wiki/Ignaz_Semmelweis

"Congressional Testimony of Fred B. Schneider (Cornell CS)"
http://www.cs.cornell.edu/fbs/publications/SciPolicyHouseArmedServsFeb2010.pdf
1296935914
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.