Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Tuesday, 28 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

What makes more secure software?

by The Gurus
June 4, 2020
in Opinions & Analysis
Share on FacebookShare on Twitter

In an interview published this week, WhiteHat Security founder and CTO Jeremiah Grossman said that ultimately, the problem with security is a lack of decent protection.

Grossman said that information security has to change its thinking as there is a problem in a belief that you can put a box in and the problem goes away, and that is most people’s way of doing things and how they are trained.

He said: “We need software security, not security software. It is two completely different things and a really difficult problem as the world only has 17 million programmers and there is a lot of folk out there, and we have to tackle two problems – how do we write more secure code and validate it, and what do we do with legacy code.”

So is that the solution to attacks and breaches? Could better code and software be the answer? I took the discussion to some key people in the industry to get some thoughts. Tenable’s Jack Daniel said that this was “absolutely true” and pointed at work by his CSO Marcus Ranum, who he said had been saying this forever, and before him others had said that too.

Daniel said: “The fundamental issue is, if you have insecure software, and you are adding additional software to it to secure it – there is a fundamental flaw in that. So that is the purist view, and the rational view is that if I want things to be better tomorrow, and not in ten years time, then the only solution I have got is to add a layer of protection.

“Adding a firewall, and problem in the industry is we are 20 years into saying “we apply this one band aid and fix it later”. Now we have code bases the size of Windows and OS10 that require huge stacks of bandages and never gone back to model of fixing the core code.”

This is a fair point, if there is a flaw in the base of a product then no matter how many patches you apply or layers you add, there is still a flawed base. John Maddison, vice president of marketing at Fortinet, said that there is so much hype going on and users are confused by what is being said, and we need to spend more time on sophistication than hype.

Dr Eric Cole, CEO of Secure Anchor and senior fellow at the SANS Institute, said that he would put Heartbleed and XP into this category too, as most companies come in with the assumption that software is secure, and most people believe that software and applications are locked down and protected.

He said: “People need to come in with the assumption that any software or any OS has vulnerabilities and exposures, and we have to recognise that they exist and approach security from that perspective.

“Look at most organisations, when they roll out new products or new solutions, how much time do they spend on functionality testing, and how much on security testing? Take non security products – Oracle, Java and ask how much time do they spend on functionality versus security, and that is where they spend the most time.

“Think of a firewall or an intrusion detection engine. When they deploy it and test it, they test the positive not the negative, so when a company deploys a new firewall what do they do? They deploy it and make sure things work and if everything works correctly, they declare victory! But they do not check that the things that are not supposed to be working are not working. We are not testing the negative so that they are not stopping and controlling the areas that they should.”

Maybe this comes down
to the resources and finances to do such a level of testing, but could this be dealt with? I spoke with RSA Conference programme committee chairman Hugh Thompson, who is also senior vice president, chief security strategist and chief marketing officer at Blue Coat Systems. I asked him to share his comments on what Grossman said, and he said he agreed generally, but as well as needing secure software, we also need security technologies that make it easy for users to do the right thing.

He said: “Instead of encumbering them and hindering them, we need technology that actually makes it easier for them to do things. That is a really different mindset than security has had for a long time.

“It’s hard to trust things that don’t have security at its core but then at the same time. If we’re not making technology that lets users do what they really want to do, and figure out and innovate ways to make it more secure on the back end, that don’t really bother them, then we’re going to be in real trouble.”

Usability and security do not always go together, but surely for products to be secure they have to be usable or, as Thompson said, we have a problem as they will be bypassed.

The problem is clear then, but the solution is far from clear – the next generation may be able to code better, but will they be able to meet an industry standard that is required for security. Let’s look again in 20 more years.

FacebookTweetLinkedIn
Tags: SoftwareUsability
ShareTweetShare
Previous Post

Hackers could face life sentences

Next Post

Cyber Essentials scheme launches to offer self-certified security

Recent News

How to Succeed As a New Chief Information Security Officer (CISO)

March 28, 2023

The Importance of Data Security and Privacy for Individuals and Businesses in the Digital Age

March 28, 2023
penetration testing

Cymulate’s 2022 Cybersecurity Effectiveness Report reveals that organizations are leaving common attack paths exposed

March 28, 2023
Synopsys discover new vulnerability in Pluck Content Management System

Synopsys discover new vulnerability in Pluck Content Management System

March 24, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information