News

Fighting the Enemy Within

• By John K. Waters
• October 20, 2004

"Security is no longer an afterthought:" That's a phrase we hear a lot these days, but its significance isn't often fully appreciated. If security has ceased to be an issue that comes up only after an application has been built, then it must be getting baked in much earlier in the development process--or at least it should be.

And that means – here's the significant part -- that more than ever before, the security onus is falling on the shoulders of developers. If bad software is increasingly seen as the ultimate security risk, then everyone will be looking to App Dev to deal with the problem.

"Ten years ago, if you were a developer, you couldn't imagine that anyone but the five people who had access to the data center would ever be accessing that application you were building," says Mike Armistead, VP of marketing and co-founder of Fortify Software. "Applications today are making smart use of the fact that the Internet and the networking world allow you to distribute these apps in a massive way."

In other words, the holes in the wall that can be plugged are being plugged by a wealth of perimeter solutions. But those kinds of solutions can't protect an enterprise in a networked, Internet-enabled, Web-services world where there really are no perimeters.

To be fair to the code warriors, the security threats we're facing today are evolving, and the new focus on security as a built-in feature is a part of that evolution. Fortunately, we're also seeing the emergence of a new generation of tools designed to help developers to deal with application layer vulnerabilities earlier in the development cycle.

Armistead's company is a good example. Fortify has pioneered an "inside-out" approach designed to eliminate security threats in the app layer. Founded last year, the Palo Alto, Calif.-based startup offers suites of products that automate security processes during development. The company's source code analyzer works like a compiler, but instead of optimizing code, it applies a set of rules for secure coding and highlights violations of those rules.

Security expert and author Gary McGraw agrees that bad software is the chief IT security issue facing organizations today. "It's something that IT managers are beginning to worry about," McGraw tells eADT. "And that’s a good thing. Everybody ought to be worrying about it."

"When I say 'bad software' I need to add that software hasn't really gotten any worse," explains McGraw, CTO of Cigital, a provider of software quality management solutions based in Dulles, Va. "What has changed is the risk profile. It used to be that developers didn’t really have to worry about attackers feeding junk to their programs to see if they could cause them to fail. But the Internet and mobile code has changed that situation. A lot of the software being produced today is destined to live on the ‘Net or to be network-enabled."

Real attackers compromise software, McGraw adds, which means that, when it comes to security, it’s all about getting to exploitable code.

"Yeah, I’d say the security onus is on programmers today to a large degree," he says. "The fact is, it’s just better to build it right in the first place."