|
Concerned about upgrading to
SQL Server 2005?
Get insider advice on the risks and benefits, and learn the best practice strategies
to plan for a successful upgrade to SQL Server 2005.
The Microsoft Gold Certified experts at Edgewood
Solutions provide the ultimate array of SQL Server database administration
and development solutions for upgrades, data protection and optimization.
Get a free needs analysis or download the SQL
2005 Report now. We can help! |
|
| Find
out what pitfalls to avoid.
Free Needs Analysis |
| Recent
Articles |
Slow Down, Simplify
Microsoft's most recent updates apparently caused problems more than a few users: Microsoft Patch Snafu Grows, Users Seek Workaround.
IT Job Market Now Offers Big Hope for Tech Workers
Remember the Dot.com and IT job market implosion? It was back in 2000 when the bottom fell out and technology workers have suffered ever since...
Resistance is Futile
Microsoft says recovery from malware is becoming impossible. Well, duh.
IT Marketing: Find the Decision Makers
The best way to grow beyond your customer base is to do some more IT marketing by getting out there in the community and meeting other people that are the decision makers.
A Promising Future for Intranets and Social Media
"Make communications more exciting" is how I would summarize
the sentiment of all who participated in the two
Melcrum workshops on intranets and social media that
I co-presented in London last week and in
Manchester the week before.
Why are Intranets Stagnant?
The evolution of the World Wide Web over the last five
years has been nothing short of astounding. Intranets,
on the other hand, haven't progressed an inch since, oh say, 2001...
Virtual IT: Grow Your Business by Providing Ongoing Service
Virtual IT: How It Can Benefit Your Business. Most successful small business computer consultants position their companies as virtual IT departments? Why?
IT Specialists: Branding Your Company
As IT specialists, a big way to differentiate yourself
is to make sure that you're branding your company.
March Madness Tests IT Rubber Rooms
This is the time of year when office pools run rampant
and some research anticipates employees becoming virtually
worthless for long periods of time for the next three
weeks.
Save Face, Time, and Money on Your Next IT Project
How many times have you been involved in a project where a newly-released piece of software required an immediate enhancement because the right people were not "in the loop"?
Google Desktop Vs. Corporate IT
Silicon.com takes a look at some corporate IT departments that are worried about employees installing the latest version of Google Desktop Search on their systems.
|
|
05.04.06
The Software Development Life Cycle: When To Secure Your Process
 By
Caleb Sima and Kevin Beaver
When it comes to software security, the general perception is that including technologies such as firewalls, intrusion prevention systems, and malware protection throughout the software development life cycle is all that's needed to keep information secure in the end product.
However, these technologies are mostly reactive in nature and don't prevent the vulnerabilities in the first place. Also, at the development level, there's a lot of talk about testing for buffer overruns, validating user input, using the principle of least privilege, and so on. These are certainly solid practices, but there's still a considerable gap when it comes to getting to the root of software flaws - the development process itself.
Web application security is extremely complex and constantly changing and there's more to it than just technical controls. Whether it's commercial or in-house, any type of code from firmware to client-server programs to Web applications can benefit from a solid and proven development process. A solid development process throughout the software development life cycle will not only ensure proper expectations are set within the team, help reduce development time, and improve quality, but it can also help make major software security improvements along the way. This all may seem too idealistic, but it can be done. As a result, both in the short term and the long run, software security flaws can be drastically reduced and organizations can lower their dependence on technical safeguards working reactively to cover up the true problem.
There are six common weaknesses in the software development life cycle that lead to vulnerable code, and inevitably, security exploits.
1. Not understanding the long-term consequences of a weak security process
Certain software security flaws may not be quite so obvious. It may take several software revisions before they're discovered. Other software security flaws may not show up for years. Regardless, they're still being baked in which create long-term problems. Much of this can be traced back to weak security processes throughout the software development life cycle, such as not performing threat modeling, not establishing and following software security standards, and using the proper testing tools to uncover software security weaknesses.
2. Business goals conflict with security during each phase
Regardless of what anyone in development, product management, or marketing says, there's still less focus on software security and more focus on delivering feature-rich applications that can deliver as close to everything-to-everyone as possible. Throughout the software development life cycle - from planning to ongoing maintenance - time is of the essence in each phase. Time to market drives the majority of projects, and quite often during time crunches, security oversight occurs, sloppiness ensues, and otherwise solid code is placed on the "back burner" to be fixed later.
Click here to continue reading this article.
About
the Author:
Caleb Sima is the co-founder of SPI Dynamics, a Web application security products company. He currently serves as the CTO and director of SPI Labs, SPI Dynamics’ R&D security team. Prior to co-founding SPI Dynamics, Caleb was a member of the elite X-Force R&D team at Internet Security Systems, and worked as a security engineer for S1 Corporation. Caleb is a regular speaker and press resource on Web application security testing methods and has contributed to (IN)Secure Magazine, Baseline Magazine and been featured in the Associated Press.
Kevin Beaver – founder of Atlanta-based Principle Logic, LLC – is an independent information security consultant, author, and speaker. He has over 18 years of experience in IT and specializes in performing information security assessments. Before starting his own information security services business five years ago, Kevin served in various information technology and security companies.
|
|
