The Security Snooze Button: Page 2
Thats the real message that we should be reading in stats like this. As my colleague Gary McGraw says, Build it and they will break it. I suppose theres somewhat of a corollary here in the form of, If theres money in it, theyll break it vigorously.
Gone are the days when software developers could safely write code in the absence of a keen understanding of what their adversaries might do to the code they write. We have to assume at every step along the way our software will face a determined and profit-motivated adversary who will go to great lengths to find even the most subtle of weaknesses in our software. And that goes for server as well as desktop software.
We information security folks need to get involved in our respective organizations software development efforts and help ensure that security is being represented at every stage. We need to help ensure that secure development practices like those described in Gary McGraws Software Security book or on DHSs Build Security In portal are being followed in our organizations. We need to be as integral to the software development process as the software developers are now.
Regardless of how we approach it, I sure hope its evident to all of us that its time to stop hitting the snooze button with regard to secure software. Otherwise, all were doing is reacting to every alarm that comes along. And thats a horrible way of doing business.