Lots of folks are talking about "securing software" in the rather traditional context of "writing secure software", and this is being broadened out to a complete security focus through the entire lifecycle. You can hear me discuss this on this recorded webinar:
http://www.arxan.com/software-protection-resources/webinar-series/application-security-360-view-webinar.php
and colleagues at Fortify and Cigital have developed a "Building Security In Maturity Model", which is here:
http://www.bsi-mm.com/
However, I'm here to tell you folks, IT ISN'T ENOUGH.
What's that you say? What more is there? What more can we do than ensure our applications don't have security flaws?
The answer is that applications have to go on the offensive. Applications must not just be "defensively secure" by not having code vulnerabilities, they must take active measures to detect and respond to attacks directed against themselves.
Of course my company is in this business and of course this is a blatant advertisement...but darn it folks, it is absolutely true and knowing what I know, I'd be saying this even if I worked as a used car salesman. Applications in the enterprise, in the cloud, distributed applications (ISV s/w) and applications in end point devices (phones, set top boxes, automobiles, home gaming systems, the list is endless) are the new focused target of attack by organized crime. And these applications CAN be engineered to have multiple layers of active defense ("offensive defense").
Applications can and should check themselves for code integrity. Applications can and should authenticate components that are dynamically attached (DLL's). Applications can and should detect and notify of debugger attachments. Applications can and should protect critically sensitive code through encryption and dynamic decrypt/execute/re-encrypt operations. Applications should utilize multiple levels of networks of these self-guarding techniques, with a variety of overt and subtle response actions, to ensure that persistent attacks are foiled at some level. Enterprise applications should have these response actions wired into the security monitoring systems deployed by the enterprise.
These practices needs to become commonplace and part of our general software lifecycles. The world is too dangerous a place for it not to happen. We need to keep up with the organized criminals, and right now our software is falling woefully behind.
skip to main |
skip to sidebar
Discussion on the latest application security developments and issues, including piracy, code protection, application hardening and cybersecurity.
