Software Vulnerabilities-root cause of security issues

By Kevin Kernan

Comments: Most people agree that the best long-term solution to security problems is to make the software itself more secure and reliable.

Almost every security breach that causes identity theft, network interruption, data loss, and website crash has a root cause, that is, the software code is rough.

Gartner estimates that about 70% of security attacks occur at the application layer. It is much cheaper to fix vulnerabilities in the development phase than to fix vulnerabilities in the application phase.

People have reached a broad consensus on the long-term solution to the industry's security disaster. What in the end hinders the progress in this regard? To put it simply, there is a language gap between security and application development personnel.

To a large extent, this problem has not caught people's attention. Many organizations do not find this language gap between developers and traditional security personnel. They did not realize that: to allow developers to add security to a product that is already in the development stage, like letting automakers add seat belts, airbags, and steel reinforcement to an automobile that has already been put into production lines, the anti-Rollover car body is equally impossible. This practice ignores the fact that software development is only a process, and the only way to improve the quality of end products is to continuously improve the process.

Security professionals want to help developers write better code, but their only practice is to reject more software on this issue. According to research published by the Sans Institute, hackers and virus writers are targeting the company's products to protect computers. In fact, since operating system developers such as Microsoft seem to know how to protect their products, hackers are increasingly targeting anti-virus software.

Clearly, hackers are attacking software that protects our software.

Does this mean we should add another protective layer? Will we use new software to protect the software that is protecting our software?

Confused, right? So are we!

Software development professionals and security professionals are in very different situations. The development process is an extremely clearly defined process of both steps and tasks. changing this process may lead to a delay in product development or transportation, which may make the management, the seller and even the shareholders quite dissatisfied.

Developers need to quickly push products to the market, and constantly add new features to the product, rather than writing better code. Security issues will prompt the development team to take action to revise the Code during the development process only when it is highly appealing. Many developers do not understand the first step of security coding and testing. By putting the two lines of correctly written code together, you can find new vulnerable points.

The software industry needs to find a universal language for collaboration between development and security. The software industry must develop a standard to integrate security processes, tasks, and products into a life cycle to minimize the impact of damages and product launch time. Even if this method is stylized and takes time to implement, standard setup is a crucial step to improve software security.

If we want to change the way software is developed and improve the security quality of the final product, such standards are essential.

Author profile:
Kevin Kernan is a senior with 17 years of experience in the application software development market and CEO of secure software.