Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, April 06, 2004

Bridging the gap between security and developers

A lack of common understanding between IT security professionals and application developers is causing security flaws to be built into systems from the earliest stages of development.

Peter Wood, partner and chief of operations at First Base Technologies, said that because developers are not security professionals, their application development stresses functionality, not security, and there is a lack of awareness of security issues.

Application vulnerabilities occur, said Wood, because common coding techniques do not necessarily include security; input is assumed to be valid, but untested; and inappropriate file calls can reveal source code and system files.

To bring security to the development environment, said Wood, it is necessary to create and enforce secure coding practices, self-assess code during development, implement security checks into the quality assurance cycle and consider security during change control.

The challenge of achieving this in global organisations was addressed by Andy MacGovern, global security awareness manager at Reuters.

He said that security is often seen as a “hold up” in the product development lifecycle, where products have to be delivered faster in a climate of increased customer expectations, more complex products, reduced budgets, fewer resources and a tougher legislative environment.

Similarly, you should identify and adopt an appropriate security framework and develop policies appropriate to the organisation, said MacGovern.

Reuters has developed an extended practice that takes into account limited security resources, and aims to have two “streams”: replication of security consulting resources, and the development of so-called “security evangelists” - people who understand the need for security.

In his presentation, Stuart King, security consultant at Reed Elsevier, highlighted the most common vulnerabilities in corporate IT infrastructure: buffer overflow, web servers, database servers, cookie poisoning, parameter tampering, SQL injection and cross-site scripting.

Posted on 04/06