A lack of common understanding between IT security professionals and application developers is causing security flaws to be built into systems from the earliest stages of development.<\/p>\n","protected":false},"excerpt":{"rendered":"
Peter Wood, partner and chief of operations at First Base Technologies, said that because developers are not security professionals, their application development stresses functionality, not security, and there is a lack of awareness of security issues.<\/p>\n
Application vulnerabilities occur, said Wood, because common coding techniques do not necessarily include security; input is assumed to be valid, but untested; and inappropriate file calls can reveal source code and system files.<\/p>\n
To bring security to the development environment, said Wood, it is necessary to create and enforce secure coding practices, self-assess code during development, implement security checks into the quality assurance cycle and consider security during change control.<\/p>\n
The challenge of achieving this in global organisations was addressed by Andy MacGovern, global security awareness manager at Reuters.<\/p>\n
He said that security is often seen as a “hold up” in the product development lifecycle, where products have to be delivered faster in a climate of increased customer expectations, more complex products, reduced budgets, fewer resources and a tougher legislative environment.<\/p>\n
Similarly, you should identify and adopt an appropriate security framework and develop policies appropriate to the organisation, said MacGovern.<\/p>\n
Reuters has developed an extended practice that takes into account limited security resources, and aims to have two “streams”: replication of security consulting resources, and the development of so-called “security evangelists” – people who understand the need for security.<\/p>\n
In his presentation, Stuart King, security consultant at Reed Elsevier, highlighted the most common vulnerabilities in corporate IT infrastructure: buffer overflow, web servers, database servers, cookie poisoning, parameter tampering, SQL injection and cross-site scripting.<\/p>\n
http:\/\/www.microscope.co.uk\/articles\/article.asp?liArticleID=129648&liArticleTypeID=20&liCategoryID=2&liChannelID=22&liFlavourID=2&sSearch=&nPage=1<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-533","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=533"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/533\/revisions"}],"predecessor-version":[{"id":3020,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/533\/revisions\/3020"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}