Common software security risks and oversights

When reviewing internal documentation and interviewing developers, development managers and quality assurance (QA) staff, I tend to find more of the same. It's no wonder software security is still a large contributor to business risk.

The four fundamental areas I believe create the largest gaps in software security are:

1. Limited adoption of security models or frameworks such as Microsoft's Security Development Lifecycle or the OWASP Top 10 Project.
2. Minimal interaction with IT and security personnel on issues outside of basic system deployment and availability.
3. Security controls such as SSL, strong password enforcement and multifactor authentication being treated more like a feature that someone wanted rather than a means of minimizing business risk.
4. Software team members being excluded -- sometimes exempt -- from information risk-related policies, assessments/audits and security mitigation strategies.

And these contributors to software security problems are rather consistent across organizations and industries. It doesn't matter if your business is large or small or somewhere in between, odds are you have some operational issues at the root of many of your software security problems.

So, where do you start? How can you even begin to fix such issues that are so deeply embedded in your business operations? Well, it's not simple but it can be done. IT, security, development/QA and management a...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Strategies Rich Internet applications security testing checklist The lowdown on PCI compliance Web 2.0 application security troubleshooting, testing tutorial Expert resolves issues plaguing OpenSTA users Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Using the Firefox Web Developer extension to find security flaws Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science' How to prevent HTTP response splitting Software security testing and techniques How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Is online application testing for smartphones different from other software testing? Software testers facing six big challenges today, StarWest keynoter says Lesser-known free software testing tools testers should try Is manually testing a software project for flaws too risky?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ll have to be able to answer the following questions:

1. Has any one person or group come to a conclusion on what "software security" actually means in the context of your business? You cannot fix what you don't acknowledge.
2. Is there any semblance of documented security standards for not only operating systems, routers and databases but applications as well? Ideas that aren't documented are merely wishes.
3. Are development and QA mentioned anywhere in your organization's security policies, plans and procedures? They should be. They have to be for this to work.
4. Are periodic and consistent checks being performed (using good tools and smart people) to ensure your software meets a standard set of security controls? Every business should at least have a baseline of what's accepted beyond the overhyped SSL, strong passwords and input validation controls.
5. Perhaps most importantly: Who does management have to answer to? Internal auditors, maybe external regulators? Pleasing one group of people may be a whole lot easier than pleasing another. Know what you're up against and it'll be clear what level of software security to shoot for.

As sexy as the technical side of software security can be, it's often the oversights and assumptions on the "boring" business side of things that'll get you into trouble. Get the right people together and ask the tough questions. Once everyone's on the same page you can start working toward gaining and maintaining control of your business's security obligations.

About the author: Kevin Beaver, CISSP, is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent security assessments and information security career counseling for up-and-coming IT pros. Kevin has authored or co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. Kevin can be reached at kbeaver [at] principlelogic.com.