Opening up security development

By Siyabonga Africa, ITWeb junior journalist
Security Summit 2009, 27 May 2009

Security software developers should communicate with each other to create confidence in the industry, as well as increase their competency in developing products with less vulnerability.

This is according to Window Snyder, CEO and founder of In Every Hand, speaking yesterday during her presentation, “Open source security for commercial vendors”, at the ITWeb Security Summit, in Midrand.

“Communication is critical between security vendors, yet it's scary for them. Commercial vendors can benefit from the feedback they'd receive from the wider security community, because they'd receive expert advice on vulnerabilities they did not pick up in the software during the development stage.”

Snyder said there are vulnerabilities in all software, which is why the security industry should aim to create an open source community where cooperation would lead to better developed software being created.

“We'd be contributing to a body of tools, which would end up producing security for everybody.”

Many layers

Snyder said there are a number of issues which security vendors should be looking at when developing software. She believes the best strategy to take in the development process is a multi-layer approach, which would incorporate communication and cooperation in an open source environment.

“Testing the software should be done continuously through the development process as well to rule out any inherent flaws that the product might have.”

Threat modelling, which involves identifying entry points in the security system, was another key factor which Snyder highlighted. In her opinion, vendors do not do focused penetration testing on specific components in their products.

“Ideally, in an open environment, you would have someone who would look for hidden flaws that your developers might have missed out on. It is cheaper than hiring consultants to evaluate your system.”

Security Summit 2009 Expo

Visit the Security Summit Expo taking place from 26 to 28 May at Vodaworld, Midrand. Tickets cost R150 and more information is available online here.

Snyder said security vendors should also strive to get rid of legacy code in their software as hackers would have picked up on it. Companies should train their developers to recognise the legacy code to delete it before the product is completed.

“We're finding that companies have legacy codes from more than 10 years ago. It's never too late to get rid of that code, even if it's from 20 years ago.”

Cooperating together and forming a security community allows vendors to identify and overcome vulnerabilities in their software, turning their marketing claims into measurable progress.

Related stories:
Cyber attacks evolve
Lock up VOIP
EMEA security spend to increase
Data loss on the rise
Securing the cloud