Message for application development security is getting through to developers, experts agree

by Michael Smith (Veshengro)

Research released in April 2010 in the US claims to show that the message about secure coding is starting to get through to software developers in large organizations. And, says Fortify Software, this is excellent news, as it means that customized and in-house developed applications should start to be less liable to security flaws and loopholes.

"The research from our colleagues at Errata Security is interesting since it shows the uptake of software security assurance platforms from the likes of Microsoft is moving forward," said Richard Kirk, European director with the application vulnerability specialist.

"Besides finding that Microsoft SDL and Microsoft SDL-Agile are the most popular secure coding platforms in use, the study’s researchers also found that more than half of those interviewed included preventative security activities in the development lifecycle of their software," he added.

According to the Fortify director, the study also found that firms with product development teams of under 10 people manage to implement formal methodologies more successfully than companies of more than 100 members of staff.

Kirk went on to say that Fortify's own observations have shown that the main causes of software vulnerabilities stem from the early stages of the software development life-cycle.

"Our own research, he explained, tells us time and time again about the need for regular code auditing as part of a development process, as this ensures that software that is being developed is inherently secure," he said.

"In other words `building security in' - as opposed to attempting to add it after the fact - is the best option. This approach is not only more cost effective, but also results in applications that are much more secure because security was considered at every stage in the development process," he said.

"Errata's research is excellent news for any organization that uses software in any shape or form, as it shows the message that application security is a distinct, but essential, part of information security is getting through to where it matters - the software developers," he added.

For more on the research results:

For more on Fortify Software:

It also would appear that the greatest problem with software loopholes and other problems is that software is not tested log enough and released on the user too early, making users the testers and often putting their data and operations at risk.

This can be seen time and again with Microsoft Windows problems that are due to the fact that the software is not tested long enough in the Beta phase, if they even have one of them for the Window OS.

When we moved from MS-DOS to Windows 3 and then 3.1 between each release there were many years and the programs worked well and were stable. WIN95, many years after the arrival of WIN3.1, was a very stable system, as far as Windows went, anything that came thereafter was a problem.

And the way it is beginning to appear we are heading the same way with many of the Linux distributions for there are new versions appearing – to all intents and purposes – on a six monthly basis or such. We cannot afford to have untested or badly test operating systems and other software. Don't rush, folk! Just get the stuff right.

© 2010