Monday, June 15, 2015

The Danger Within

Security is surely on everyone's mind these days.  One merely has to pick up a newspaper, magazine or visit news sites on-line to read about the latest incident involving the release of personal data, confidential corporate files or government secrets. As a direct result of the rash of these high profile incidents, articles and presentations abound on the need for better means of protecting our information.

Some of the focus is on better educating the person at the keyboard, since they are most often the initial crack in the armor. I have even advocated for this in previous columns.

We are inundated with demands for better, more complex passwords, two-factor, three factor or biometric and other means of authentication. We must have improved edge security, faster intrusion detection, the latest anti-virus and web filtering systems. Network equipment vendors try to outdo one another with increasingly sophisticated methods of preventing unwanted visitors, while the security related software companies race to stay ahead of the nefarious individuals exploiting holes in the code by spotting the latest attack vectors.

What we do not hear enough about is an effort to ensure there are no holes in the code to exploit. In my recent work with the NAiC investor group I had an opportunity to learn about several companies with tools that automatically read and evaluate software code. These tools can be used to find logic flaws and identify opportunities to improve code efficiency. But importantly, they can also highlight potential security issues allowing these dangerous holes to be plugged before the code is ever released for use.

Major corporations, particularly software houses, routinely have a QA group perform reviews. But the priorities of the company and demands of the marketplace often push the code release ahead of a complete review. Moreover, the QA department is often the poor, red-headed step-child with little power to truly complete the mission. They are only there to make sure the code doesn't crash the system or fail to perform in line
with some option on the menu.

Until we make the quality and especially security of applications as important as meeting the date we promised our customers new features, we will always run the risk that some employee will unwittingly allow malware to evade all the perimeter defenses and take advantage of flaws, infecting systems, stealing data or taking control.

Captain Joe

Follow me on Twitter @JPuglisiLLC