Three short steps to application security.You've patched. You've secured the Net. But still, the unexpected happens. A new worm takes advantage of a security weakness in one of your critical, public-facing applications, and now you have a costly mess to clean up. The National Institute for Standards and Testing says that buggy Refers to software that contains many flaws. Many in the software industry swear that bugs are inevitable, and perhaps they are right. As long as we work in the competitive, pressure-cooker environment of our high-tech world, products will more often than not be developed too hastily and software could cost the economy as much as $60 billion. If that number strikes you as incomprehensible, just consider the number of software vendors producing new commercial software, writing custom applications and doing in-house modification work. [ILLUSTRATION OMITTED] What's a lot more incomprehensible is that fact that while the serious problems caused by gaps in application security are growing at an alarming rate, most application vulnerabilities are avoidable. Even though many assume the issue is unsolvable, it can be addressed effectively through these three simple steps: Step 1: Establish standards for code development -- Basic coding standards should be developed that--at a minimum--address the most prevalent software vulnerabilities. A good place to start is with the 10 most common development flaws, as identified by the Open Web Application Security Project (OWASP (Open Web Application Security Project) An organization founded by Mark Curphey in 2001 to help make open source software secure. With member communities around the world, OWASP projects are involved with specific programming languages, functions and .) For the standards to be effective, though, CIOs must also hold developers accountable to written standards and formulate appropriate contracts with vendors. Step 2: Educate developers in secure coding practices -- Developers are commonly rewarded on the basis of time and the number lines of code The statements and instructions that a programmer writes when creating a program. One line of this "source code" may generate one machine instruction or several depending on the programming language. A line of code in assembly language is typically turned into one machine instruction. they deliver. New incentive models are needed--models that reward developers for secure code as well. Step 3: Audit! -- The old adage that says "only things that are measured get done" applies to finding software glitches as well. Tools and scanning software are readily available that make it possible to identify code defects that could lead to security breaches. Testing should include both development processes and the application or code itself. RELATED ARTICLE: Security tips In an era of heightened national security, it is more important than ever to beef up the security of your network to prevent attacks from common hackers or even terrorists. The best way to do this is to integrate IT security into the day-to-day operation of your business. If you plan on institutionalizing IT security at your firm, here are some things to consider. Go with enterprise antivirus software See antivirus program. (tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. . Pick a single antivirus software suite that can be run from a network so that every user is protected. Make sure it has an auto download feature that automatically keeps the software up to date without relying on the user to download updates. Enable automatic software updates. Make sure all employees have automatic software updating for critical applications, such as Windows, enabled. This assures that patches are downloaded and installed without relying on the user to do it. Check out Windows Update An updating service on Microsoft's Web site that enables users to obtain bug fixes and new features for their version of Windows. Windows Update components analyze your PC's configuration and display a list of appropriate downloads for your individual system. for more info on how to keep Microsoft Windows See Windows. (operating system) Microsoft Windows - Microsoft's proprietary window system and user interface software released in 1985 to run on top of MS-DOS. Widely criticised for being too slow (hence "Windoze", "Microsloth Windows") on the machines available then. up to date. http://v4.windowsupdate.microsoft.com/en/default.asp Adopt a policy. Sit down and draft a policy to secure your chunk of cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace. . You can build an umbrella policy Umbrella policy Insurance for exports of an exporter whose issuer handles all administrative requirements. that covers virtually all aspects of computer usage, or you can develop a set of specific policies covering different scenarios and IT security threats. Check out sample policy templates from the SANS Institute The SANS Institute (SysAdmin, Audit, Networking, and Security) is a trade name owned by the for-profit Escal Institute of Advanced Technologies. SANS provides computer security training, professional certification, and a research archive. at www.sans.org/resources/policies. Mac McMillan is national practice director at CTG CTG Cartridge CTG Center for Technology in Government (SUNY, Albany, New York) CTG Center for Technology in Government CTG Computer Task Group (IT consulting company; Buffalo, NY, USA) Information Security Practice, a silver-level member of the Detroit Regional Chamber. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion