Making the decision to part-exchange the two-door sports car
and purchase something more practical is often determined by two
factors. We need a car that can accommodate the pram, and we need
something 'safer'. The first requirement is easily tested, while
the second requirement is satisfied with the European New Car
Assessment Programme (Euro NCAP). The programme publishes safety
reports on new cars, and awards 'star ratings' based on their
performance in a series of crash tests,writes Raj
Samani, vice-president of communications atISSA
UK.
Having objective safety information is critical to the selection
of a product that demands security for its users. For IT managers,
such critical information for deciding which application is best
for running the payroll is likely based on vendor assurances.
There have been rumours of a kite mark for software, and notably
for their security. Although a useful idea, one has to question
rubber-stamping quality, when we all know that software
vulnerabilities are identified in products that marketing
departments class as "100% hacker-proof", or words to that
effect.
So in the absence of an objective standard to measure the
security of your next purchase, what options exist?
For most organisations, adhering to the old security mantra of
defence in depth is likely to reduce the impact of any future
vulnerabilities. In addition, applying security patches in a timely
fashion, and regularly performing security testing.
For added assurance, and wherever possible, engaging a security
testing organisation to review the code of the application is well
worth the money. If this is not possible, then look to use software
that has gone through added testing for use within central
government or carry out a code peer review within your development
community and look to
OWASP and
Sans to ensure the
"Top 20" vulnerabilities have been addressed.
Whichever methods are used to test the application, it is
important to remember to regularly test the security. Because no
matter how safe you think you are, there is always something or
someone out there capable of proving you wrong.
Read more expert advice from the Computer Weekly Security Think
Tank >>