Information Technology News.


Developers often have a blind eye for security

Get the most dependable Linux or Windows Web hosting at the lowest cost. Domain names at only 99 cents for a whole year! Click here to learn more.

June 12, 2006

"More and more today, developers and programmers turn a blind eye to Internet security. Potential hackers are now more capable of taking advantage of poorly written software.

In fact, it’s foolhardy for developers to think those security flaws won’t be exploited on day", said Mary Ann Davidson, chief security officer for database giant Oracle Corp. “The mentality needs to change,” she said.

The inherent cost of insecure coding in today's software is staggering. The NIST (National Institute of Standards and Technology), a U.S. government agency, estimates computer and Internet security problems cost companies every year between US $22.2 billion to US $59.5 billion, Davidson said.

The problems of important security holes in software starts with how developers are taught at universities and goes straight through to systemic vendor attitudes, Davidson said.

Software coders at Oracle often need remedial coding education after they are hired since they don’t consider how “evil” input could affect their products such as databases, Davidson said. Universities are not teaching secure coding practices and are reluctant to change their curriculum, she said.

Vendors are pressured to move products into the market as quickly as possible, and often lack the tools to build better ones, Davidson said.

As a result, software development is reaching a “tipping point” where poor security is a board-level issue.

The result of bad code means spiraling patching costs for both clients and companies such as Oracle. Davidson said the record for fixing one defect was 78 patches, which cost the company around US$1 million.

“I don’t hate protecting our customers, that’s important, but what a waste of resources to try to band-aid after the fact something we should have caught earlier,” she said.

As a result, Oracle has implemented numerous measures to produce better code. Oracle created a 200-page guide on coding standards.

An in-house hacking team pokes products for holes in live hacking sessions. Developers up to senior vice-presidents must participate in educational Web-based classes. “We use our own dumb-ass mistakes as examples,” Davidson said.

“Because if you don’t do that, developers think this is an academic argument.” The company uses new in-house tools to look for buffer overflow vulnerabilities and SQL injection attacks.

It also employs software from Fortify Software Inc. to scan for problems in Oracle’s 30 million lines of code, she said.

Source: IT World Canada




IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

       © IT Direction. All rights reserved.