Customer Security and Software Security

Wednesday, February 02, 2011

Danny Lieberman


If you are an IT person, this article may be a waste of your time. But – if you are in the business of making and delivering products with software inside – read on.

What threats really count for your business?

No question is more important for implementing an effective security and compliance program for your product development.

The management, the software developers and security analysts cannot expect to mitigate risk effectively without knowing the sources and cost of threats to company products and the products’ users.

The prevailing IT security model predicates defense in depth of IT systems. The most common strategies are to mitigate external threats with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network. 

Are any of these security countermeasures likely to be effective in the long-term for software applications and software-based appliances? Can attacks on a software product be neutralized with defensive means only?

In other words, is there a “black-box” security solution for your products?

The answer is clearly no.

A reactive network defense tool such as a firewall cannot protect exploitation of software defects and an application firewall is no replacement for in-depth understanding of company-specific source code or product configuration vulnerabilities.

This paper presents a rigorous software development process for delivering secure software product starting with a simple notion – “buggy software is insecure software”.

By removing software defects we are in the best position to deliver secure software to our customers.

Download the full article Make your business secure by making your software secure

Cross-posted from Israeli Software

Possibly Related Articles:
Software Application Security Development Security Defense in Depth
Post Rating I Like this!
shawn merdinger Dilbert is so accurate at time.
Danny Lieberman I love it.

Consider this little piece of computer history:

There was a sign over Ed DeCastro's desk at Data General - "Not everything worth doing is worth doing well".

In 1999 - DG was bought by EMC for $1BN and in 98 Compaq bought DEC for $10BN -

I guess there IS value for shareholders in doing things better.
shawn merdinger Aside from the "biz case" pushing against security, I suggest it's worth mentioning that from a 50K-foot perspective, we security folks are just starting to scratch the surface of recognizing and addressing risks and attacks...

I like the medicine/security analogy often made, and personally I think security knowledge and techniques are akin to we're where modern medicine was 100 years ago.

Put another way, we're just staring to get folks to wash their hands, and are a long way from the security equivalent of say, mapping DNA.

For more on this train of thought:

"12 Monkeys - Germs"

Wikipedia: Ignaz Semmelweis

"Congressional Testimony of Fred B. Schneider (Cornell CS)"
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.