Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Securing Software Requires Design, Testing, And Improvement
Oldest First  |  Newest First  |  Threaded View
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
3/27/2014 | 7:16:55 AM
Attack-Agnostic through "Security By Design"
Software assurance (aka software security) is most often not viewed as a part of business needs.  This could be attributed back to how security has been traiditionally viewed as a "roadblock" or as mentioned above goes back to security not being strongly integrated throughout the SDLC processes.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/27/2014 | 7:37:13 AM
Re: Attack-Agnostic through "Security By Design"
Thanks for your comment Jason. If software security is typically not viewed as a part of an important business need, what do you think has to happen to make the industry take the issue more seriously?
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
3/27/2014 | 2:23:07 PM
Re: Attack-Agnostic through "Security By Design"
Information Security cannot be the conscious of the business if we continue to focus on the flaws instead of identify solutions.  A good start to addressing this challenge would be to create a culture where we as Security professional bring forward what we know that helps to enable the business to operate securely; opposed to going around in circles asking what the business knows and creating barriers.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/27/2014 | 2:33:05 PM
Re: Attack-Agnostic through "Security By Design"
Enabling that culture change is a terrific idea but certainly has many challenges -- not the least of which is getting buy in from the C-suite. In your experience, what are the most effective "top-down" executive poliices and practices that foster a proactive security mindset within an organization?
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
3/28/2014 | 8:46:46 AM
Re: Attack-Agnostic through "Security By Design"
Getting "top-down" buy-in is only as complicated as the way we communicate it.  This unfortunately stems back to how, for the most part, security professionals talk in terms of technical threats which does not neccessarily translate well into business logic.  Instead of communicating Software Security from a technical point of view, such as "We must enforce input validation to prevent against data type corruption and security vulnerabilities"; we could approach it from a business perspective based on risk, such as "Input validation provides assurance of business integrity, customer confidentiality, and application availability".

Security must be viewed as just another attribute of software, much like usability, performance, reliability, and scalability. With full participation of different stakeholders in a Secure-SDLC program, security risks can be identified both before deployment and during implementation, reducing the attack surface and strengthening defense-in-depth strategies. A "team approach" to secure software development will improve the software release, change, and configuration management processes, improving software deployment standards.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29856
PUBLISHED: 2021-09-20
IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 could allow an authenticated usre to cause a denial of service through the WebGUI Map Creation page. IBM X-Force ID: 205685.
CVE-2021-32839
PUBLISHED: 2021-09-20
sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Onl...
CVE-2021-38899
PUBLISHED: 2021-09-20
IBM Cloud Pak for Data 2.5 could allow a local user with special privileges to obtain highly sensitive information. IBM X-Force ID: 209575.
CVE-2020-8561
PUBLISHED: 2021-09-20
A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log l...
CVE-2021-25740
PUBLISHED: 2021-09-20
A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.