Vendor focus shifts from deadline to defence line

A survey of participants to the 2005 Secure Software Forum — an industry forum promoting software quality assurance — observes that, while companies recognize the need for secure software and have begun developing secure coding policies, 70 per cent still have not integrated security assurance program into their development process.

Most large software vendors have implemented programs for secure code development, says Howard Schmidt, CEO, R&H Security Consulting in Issaquah, Wash.

For instance, Oracle Corp., criticized in the past for security vulnerabilities in some of its software, recently deployed Fortify Software’s source code analysis tools to test its code base of 30 million lines.

Fortify’s tools use a set of rules that can flag vulnerabilities in more than 60 categories, including SQL injection, buffer overflow and format string errors.

Fortify says its source code analysis tool has a high “signal-to-noise” ratio when analyzing large, complex commercial applications and lets users set thresholds to “tune” the analysis to desired sensitivity level. It helps users prioritize vulnerabilities according to importance without losing track of less important flaws that can be addressed later, writes IDC Corp.’s Melissa Webster in a research document entitled, Managing Software Security Risk.

High profile software companies are also placing less importance on meeting delivery deadlines and more on writing secure applications, says Schmidt. He adds that most of the software companies writing secure code don’t get due credit for the effort.

Microsoft’s long-awaited Windows Vista, the company’s next-generation operating system due to be released later this year, may be a case in point. Vista’s initial expected release was to be in 2003, but the unveiling has continually been pushed back.

Microsoft Canada president Phil Sorgen tells ComputerWorld Canada that his company has deliberately not set specific release date in an effort to ensure that the product release is not hurried by a date commitment.

Through an effort called “trustworthy computing initiative,” Microsoft applies a security development lifecycle process in product development, says Microsoft’s chief privacy strategist Peter Cullen.

The security development lifecycle process came as a result of work done by 8,500 Microsoft developers some four years ago, tasked to dismantle every line of code on Windows Server 2000 and fix vulnerabilities that were found, Cullen says.

“From that we learned very clearly that there were certain things that can happen in developing code, particularly on something as complex as an operating system,” he says.

Windows Vista is going through that same security development lifecycle and part of the process is technical community testing and feedback through the Windows Vista Community Technology Preview.

Ahead of its predecessor Windows XP, Vista has new built-in security features such as user account control, automatic security updates and Windows Defender that protects against spyware and potentially unwanted programs.

QuickLink 062081

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now