Security deemed a tough task

news

Mar 8, 20072 mins

Good software security is not something that happens by accident, a security expert told the audience at the EclipseCon 2007 conference on Thursday morning.

In a presentation entitled, “Software Security: Uncut and Uncensored,” Herbert Thompson, chief security strategist at People Security and an author on the subject, drove home the reality that software security is a difficult endeavor. A focused effort is required to make an application secure, he said.

Critical changes are happening in the industry, he added. “The way applications communicate with each other is really changing pretty substantially,” with much data flowing over a single port, that being Port 80, Thompson said.

Another change is regulatory compliance and its consequences. Customers are demanding different things in software, such as the ability to encrypt log files, Thompson said.

Now, companies have to inform the public of software security issues. Meanwhile, stealing identities has become a profitable business, Thompson said.

“Competition among bad guys has driven the price of an ID down to a buck,” said Thompson.

Often, security competes with other project goals, such as finishing the project, he said. Security needs must be balanced with other goals, said Thompson. But security expertise is lacking amongst code writers.

“Most people [have] not taken a security class,” Thompson said.

To boost security, he advised peer reviews to find issues with quality, gathering of customer security requirements and thinking broadly about where a software product might be deployed. Regulatory requirements also must be factored in, as well as perhaps additional auditing capability.

Also, developers should be educated on how to think about security; code reviews should be performed on critical components.

“Threat modeling is also incredibly effective,” Thompson said.

Developers even can think of an “abuse case” for a piece of code to test it out, he said. Fuzz testing, to feed an application with inputs that might reveal bugs, also is a good idea.

Other recommendations from Thompson included developing a secure deployment guide, documenting security assumptions and learning from mistakes.

Security

by Paul Krill

Editor at Large

Follow Paul Krill on X

Paul Krill is editor at large at InfoWorld. Paul has been covering computer technology as a news and feature reporter for more than 35 years, including 30 years at InfoWorld. He has specialized in coverage of software development tools and technologies since the 1990s, and he continues to lead InfoWorld’s news coverage of software development platforms including Java and .NET and programming languages including JavaScript, TypeScript, PHP, Python, Ruby, Rust, and Go. Long trusted as a reporter who prioritizes accuracy, integrity, and the best interests of readers, Paul is sought out by technology companies and industry organizations who want to reach InfoWorld’s audience of software developers and other information technology professionals. Paul has won a “Best Technology News Coverage” award from IDG.

Show me more

Topics

About

Policies

Our Network

More

Security deemed a tough task

More from this author

Kotlin 2.3.20 harmonizes with C, JavaScript/Typescript

Visual Studio Code previews chat customizations editor

Swift 6.3 boosts C interoperability, Android SDK

Claude Code AI tool getting auto mode

TypeScript 6.0 arrives

New JetBrains platform manages AI coding agents

VS Code now updates weekly

Google adds vibe design to Stitch UI design tool

Show me more

Final training of AI models is a fraction of their total cost

OpenAI adds plugin system to Codex to help enterprises govern AI coding agents

Anthropic throttles Claude subscriptions to meet capacity

How to run your own little local Claude Code (sort of!)

How to build desktop apps in Typescript with Electrobun

Write and run assembly in Python with Copapy