Security Market Segment LS
Friday, 27 August 2010 15:40

Training the key to avoiding software security flaws


The same types of exploits have remained the most common for at least three years. Are developers slow to learn?

The Open Web Application Security Project (OWASP) list of the top ten attacks has changed little between 2007 and 2010, while code reviews conducted by Microsoft's internal IT operation reveal five types of flaw that keep cropping up.

"This happens because it [software] is complicated," said Rocky Heckman, senior security architect at Microsoft, explaining that software has a tendency to do unintended and undesirable things.

The five common flaws he sees involve cross-site scripting (XSS), SQL injection, buffer overflows, canonicalisation, and cross-site request forgeries (XSRF).

There are established ways of avoiding these issues, including input validation, stored SQL procedures, managed code, and encrypted unique session IDs, so why do they keep appearing?

"Big organisations are like the Titanic - difficult to turn around," Heckman told iTWire. A general reluctance to touch old code contributes to the problem.

Training is the key - see page 2.

"I wish they'd teach it [secure development practices] more in universities," he said, adding "the best thing you can do for your developers is training."

While elements of Microsoft's Secure Development Lifecycle do have a time impact on projects, they do get you to a better place, said Heckman. Developers at Microsoft say that if their peers can only make one change, it should be to carry out threat modelling.

"The best thing you can do for your developers is training," he said, observing that those who have received training in secure development don't make as many mistakes as those that haven't - though you would hope that was the case.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments