Software Vulnerabilities or “Treating the Symptoms Rather Than the Disease”

There’s an interesting article at C|Net, written by Jon Oltsik, who is senior analyst at the Enterprise Strategy Group, about security in general and problems related to insecure software. It says:

Any chief information security officer will tell you that one of the biggest issues related to information security comes down to poorly written software. This should not come as a surprise.
Typical developers have almost no training on secure development. Even if they did, software engineers are usually compensated for adding software functionality and meeting deadlines, not eliminating software vulnerabilities.
As a result of all of this buggy code, IT is often forced into building a post-development security strategy. Security safeguards like firewalls, application gateways, packet filtering, behavior blocking and patching are put in place to overcome software attacks against software vulnerabilities, open interfaces, and insecure features. In a medical setting, this approach might be described as “treating the symptoms rather than the disease.”

Read complete article here.

Also I’d recommend reading one older article titled: “Programmers told to put security over creativity”, also at C|Net. It can be found here.

  1. Mirko

    I am quite disappointed with this article at C|Net. The author is basically telling us what is completely obvious and taking a route that implies all software is the same.

    Sure, best practices for making software not prone to common vulnerabilities is a good idea. Standards, collaboration and thorough testing are a must, but all companies are doing it already.

    Firewalls, packet filtering and behavioral blocking are there just because it’s completely impossible to make software unbreakable. We can only have degrees of security.

    He should have attacked Microsoft with his allegations, open source software like the Apache web server or a Linux server distribution are more secure than a Windows Server 2003 installation with IIS. That’s a fact.

    The problem is not only the software developers, it is the complete security industry that’s being led by incomplete standards and deals that enable certain products to dominate the market.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.