Security Market Segment LS
Friday, 27 August 2010 15:40

Training the key to avoiding software security flaws

By

The same types of exploits have remained the most common for at least three years. Are developers slow to learn?


The Open Web Application Security Project (OWASP) list of the top ten attacks has changed little between 2007 and 2010, while code reviews conducted by Microsoft's internal IT operation reveal five types of flaw that keep cropping up.

"This happens because it [software] is complicated," said Rocky Heckman, senior security architect at Microsoft, explaining that software has a tendency to do unintended and undesirable things.

The five common flaws he sees involve cross-site scripting (XSS), SQL injection, buffer overflows, canonicalisation, and cross-site request forgeries (XSRF).

There are established ways of avoiding these issues, including input validation, stored SQL procedures, managed code, and encrypted unique session IDs, so why do they keep appearing?

"Big organisations are like the Titanic - difficult to turn around," Heckman told iTWire. A general reluctance to touch old code contributes to the problem.

Training is the key - see page 2.

"I wish they'd teach it [secure development practices] more in universities," he said, adding "the best thing you can do for your developers is training."

While elements of Microsoft's Secure Development Lifecycle do have a time impact on projects, they do get you to a better place, said Heckman. Developers at Microsoft say that if their peers can only make one change, it should be to carry out threat modelling.

"The best thing you can do for your developers is training," he said, observing that those who have received training in secure development don't make as many mistakes as those that haven't - though you would hope that was the case.


BACK TO HOME PAGE

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

talentCRU FREE WEBINAR INVITE - Cybersecurity in COVID-19 times and beyond

With the mass transition to remote working, our businesses are becoming highly dependent on the Internet.

So, it’s no surprise that we’ve seen an increase in cyberattacks.

However, what’s more concerning is that just 51% of technology professionals are highly confident that their cybersecurity teams are able to detect and respond to these threats.

Join us for this free online roundtable where our experts discuss key cybersecurity issues IT leaders are facing during the pandemic, and the challenges that will likely emerge in the coming years.

JOIN WEBINAR!

BACK TO HOME PAGE
Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

BACK TO HOME PAGE

VENDOR NEWS & WEBINARS

REVIEWS

Recent Comments