Google Site Search

Google
 

Tuesday, November 25, 2008

Friday, November 14, 2008

Security mission critical for Application Developers?

Michael Vizard (Information Week blog) has a post titled "Security Becomes Mission Critical for Developers".

Some snippets from his blog:
There is no serious developer out there that wants to build an insecure application. It's just that there are any number of time constraints that they frequently work under that conspire to make the overall application less secure.


Mike, I agree fully. But the latter (the time constraint) is being used as a ruse for many security vulnerabilities that exist in your application. If the application is widely deployed such as browsers, then god save you. Your ruse will not work. What I would like to point out is that there are multitudes of open source tools out there that you can integrate into your builds which can perform security analysis as you develop your software. I agree that in many areas of software development, there is a scarcity of tools. In these cases, intuition/best practices/code review help. The key point is that security has to stop being an "after-thought" of any design.

I find FindBugs to be an excellent free static analysis tool, that can be used whenever to peek at some of the security vulnerabilities that you may have. It is better than nothing.

You know, if you develop insecure software, your competition is going to benefit. An example is what Joern Wettern writes in the Redmond Magazine column, titled "A Better Internet Explorer".
One of the main reasons for the success of Firefox is IE's reputation for being vulnerable to a wide range of exploits.


Isn't that Ouch? Now it will be hard for IE to gain back the folks that went the firefox way. Of course there are other reasons - firefox is cross platform. It is free and we trust Mozilla Foundation to not do any evil.

Mike says:
Unfortunately, we're soon approaching a time when some company will be sued for security breaches related to an application. The reasoning will be that there is no real good reason for making data that belongs to somebody else available to people who shouldn't have it because the application was not secure. In time, a court is going to see that kind of activity as a form a reckless disregard equivalent to a car manufacturer selling cars with faulty brake systems.


True. A faulty car can kill. A faulty software can kill and can also cause massive damages to finance, prestige etc.

The answer is processes at work and in education. Processes should exist to foster secure coding. Plus the educators at schools and universities, where software development is taught, need to inculcate curriculum on secure coding. Refer to Mary Ann Davidson's blog entry on "Supply Chain Problem".

Happy software development!!!

Sunday, November 2, 2008

Facebook and Corporate Users

In the latest debacle associated with the usage of Facebook, 13 employees (Crew) of Virgin Atlantic have been sacked for inappropriate discussions on facebook which has brought disrepute to the employer.

http://news.bbc.co.uk/2/hi/uk_news/7703129.stm

"Following a thorough investigation, it was found that all 13 staff participated in a discussion on the networking site Facebook, which brought the company into disrepute and insulted some of our passengers.

"It is impossible for these cabin crew members to uphold [our] high standards of customer service... if they hold these views."

A spokesman for the airline added that there was "a time and a place for Facebook".

Other aspects that you need to look at are the proliferation of viruses via the social networks - Facebook Koobface computer virus or Orkut scrap virus.

The biggest users of social networks are the Gen Y be it on personal, mobile or corporate set ups. A disturbing report on Information Week.

"Since Nov. 5, three separate studies -- from Accenture, Intel, and ISACA, a major IT users group -- have indicted the youngest generation of employees as one of the enterprise's newest and most serious security risks. People under the age of 28 -- sometimes called Generation Y and sometimes called Millennials, depending on how you define the category -- are engaging in online behavior that could expose their organizations to data leakage and information theft, the studies say."


"Interestingly, the Intel study suggests that many IT organizations are changing their behavior to accommodate the younger employees, rather than the other way around. Nearly 30% of the IT pros surveyed said they have changed their IT policies to meet the demands of Gen Y, allowing employees to access their work e-mail from noncompany smartphones or other devices and, in some cases, relaxing their rules surrounding the use of social networking sites."


Read >>>