Hardly a day goes by without a new threat or technique being
identified to find and exploit vulnerabilities in software,writes Andrew Kays, head of development atNexor.
With nearly every aspect of our lives becoming reliant on
computer technology, how do we know we can trust the systems we are
using are secure and cannot be easily exploited? This is important
in an individual's day-to-day life and their use of technology, but
can be absolutely paramount within the corporate and government
worlds. Here, people's lives and the national interests can be at
stake and it is imperative to know that systems are secure.
How can you know if you trust a system to be secure? This is a
very difficult question to answer, but an appreciation of how the
system or product was developed provides some confidence that the
appropriate care has been given to the secure design and
implementation of the software. In the constant changing threat
landscape, the organisation needs to know that system developers
are keeping up-to-date with the different threats and possible
exploits that the software can be vulnerable to, and that they
provide regular communication on how the issues affect their
system.
Do you know how your system was developed and the methodologies
employed? Was the appropriate emphasis placed on security in its
design during production? Questions such as these have not be asked
traditionally, but in today's world of easy internet communication
the exposure of our organisations is greatly increased, making it
easier for malicious individuals to have the opportunity to try to
exploit these systems.
Good development practices can help minimise the security risks
within systems. Approaches and techniques such as threat analysis,
static and dynamic source code scanning and penetration testing can
dramatically reduce the number of possible vulnerabilities. The
understanding and use of such techniques and how they are employed
in a system's production significantly decrease your chances of
exposure.
Forms of accreditation, such as Common Criteria, provide
assurance that systems meet their claims, but these processes are
costly and time consuming. Although they have their place in
high-assurance environments, they are not dynamic enough to deal
with new threats that appear on a day to day basis.
The emerging secure development methodologies, which are based
on good security practice, provide a possible way forward, giving
consumers confidence that the basic security considerations have
been designed into the system and that the suppliers are monitoring
and providing continual communication on how these issues could
affect their IT - systems and threats are not static, this is a
continual process.
Many companies that develop software are acutely aware of the
importance of the security demands and are taking the appropriate
actions, such as implementing secure development lifecycles, but
many are not. To drive the importance of security in the IT
industry we need to start asking these questions of our system
suppliers. Only then will providers ensure their products are as
secure as possible.
Ask yourself, do you know how security was considered by your
solution provider? What precautions have they taken in developing
the system for you? If you are a software provider, have you really
considered the security of your offering?
Security Zone: read more advice from (ISC)² qualified security
professionals >>