Software security is a real problem, the solution is developer training

The Screen Actors Guild is beefing up the software security embedded inside its pension and health plans, spending half a million dollars to protect its data. The county government in Anne Arundel County, Virginia, was paralyzed for more than a day after an attack last week.

Vulnerabilities were found in Google Desktop, where hackers could exploit cross-site scripting flaws in Google.com to read end users’ files or even run remote applications. The Web site for the Florida Marlins was hacked before the Superbowl to include an exploit that could install malicious software on browsers that didn’t have the latest security patches.

That’s all recent news, not ancient history. The more than we expose our applications to the Internet, the more vulnerable they are to attack. Because applications are increasingly interconnected, through Web services, trust networks, single sign-on, SOA and mashups, each vulnerable application represents a significant threat to the entire enterprise data center – and our increasingly distributed IT infrastructure.

Network firewalls can’t protect you; many attacks are generated internally, or have an “inside job” agent. Intrusion detection systems can’t protect you; the network traffic is legitimate, it’s what it’s trying to do that’s malicious. Authentication systems can’t protect you; often the attacks come from publicly accessible resources, or from authorized accounts (which might have been compromised). Virtual private networks can’t protect you; they guard the pipe, not the endpoints. The only thing that can protect you is properly written software.

The solution is developer training. Too many software developers simply don’t understand the fundamentals of creating secure applications. They’re so focused on software features, platform compatibility and run-time performance that there’s literally no time left for using the right coding techniques. Similarly, architects often don’t know the security aspects of their designs, and testers are focused on requirements – which rarely spell out the security vulnerabilities that an application must guard against.

For that reason, I invite you, and your architects, developers and testers, to the 4th Software Security Summit – the only technical conference that’s 100 percent focused on helping you write more secure software, and helping you secure the software that you already own. It’s not about networking, it’s not about VPNs, it’s not about firewalls… it’s about software development. (I’m the chairman of this year’s event.)

The two-day conference, held April 16-17 in San Mateo, Calif, has a strong program for everyone on your team. There are solid keynotes from Herbert “Hugh” Thompson and Gary McGraw. There are full-day tutorials on breaking software security, creating enterprise software security standards, and creating a plan for improving your software security.

The technical sessions cover everything from cross-site reference forgery to source code analysis, rootkits to SQL injection. There are specific sessions on securing Windows/.NET, Java EE and AJAX applications. New for this year are classes designed for the software development manager, addressing organizational issues that lead to software security problems.

The Software Security Summit is one conference that you and your team can’t afford to miss. There are discounts if you register by Friday, March 16. I look forward to seeing you there.