Forum latest

Why Can't Johnny Develop Secure Software?
Written by Daniel   
Wednesday, 16 June 2010 17:24

From DarkReading

Security experts agree that there's something wrong with the software development process, but there are differing opinions on how to solve the problem

It's another day in the life of a security pro -- or a hacker. Much of your time is spent searching applications for that one weak point, the one that will lead to the breach of sensitive data. And nearly every day, somebody finds one. Or more.

With all of the security know how offered today – and all of the advanced tools offered to applications developers – why is software still riddled with security vulnerabilities? The answers are many, and they don't always agree. And solutions to the problem? Those are even more diverse.

Vulnerabilities start, experts agree, because developers don't understand how to build security into the code they write.

"There's a lot more acceptance of security as part of the process now, but historically, developers have never been responsible for security," says Brian Chess, founder and chief scientist at Fortify, a company that makes tools for secure software development. "We all understand locks and keys, but not many of us are locksmiths. That's where most developers are."

Caleb Sima, CEO of secure software development tool vendor Armorize, agrees. "Developers are builders and artists," he says. "They like creating, not tearing things down to identify flaws. Security is not a natural thing for most of these people -- it's a different mindset."

There have been many initiatives to educate developers on secure software development practices, including certification programs from organizations like ISC(2), which offers a program that trains programmers in security disciplines. But the education process is slow, experts say.

"The talent coming out of schools right now doesn't have the security knowledge it needs," says Paul Kurtz, executive director at SAFECode, a nonprofit organization backed by major software vendors and focused on secure software development practices. "There needs to be a lot more work in our educational institutions to teach them how to develop secure code."

But nearly all experts agree that no matter how strong the training effort, the average developer will never be very security-savvy. "They're always going to be more focused on code quality and trying to meet their deadlines," Sima says. "If I'm a developer, as soon as I've been assigned a project, I'm already behind. If there's a faster way to do something, they're going to take it, because for them, speed is more important than security."

So if the average developer can't become a security expert, how can organizations ensure that the code written by that developer is vetted and tested to reduce vulnerabilities? Currently, most development organizations have a designated security-savvy person who is responsible for working with less-savvy colleagues to cut down on common vulnerabilities and act as a liaison with the enterprise IT security team, Fortify's Chess observes.


[More...] [Comments...]


See also

None found.

Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either