|
3. APPLICATION SECURITY TESTING AND SECURE CODING TRAINING
In July 2005, the SANS Institute revealed new data showing sophisticated attackers had altered their techniques and begun targeting application vulnerabilities more than system vulnerabilities. This announcement was a wake-up call for CIOs and security officers. Most of their efforts had gone into securing Windows, UNIX and their services. Now the CIOs had to worry about attackers using their applications against them.
Savvy users employ four types of defenses to protect their applications:
- They intensely train users on secure coding techniques, and test them to be sure they learned to recognize the common mistakes and how to avoid them.
- They test their programs using source code analysis tools.
- They test their Web applications using Web application security scanners and penetration testing.
- They deploy Web application firewalls and application-aware intrusion prevention systems.
Each of these defenses has matured greatly, especially in the past six months, so it may be time to update your application strategy.
Training and Testing
Until this year, training in secure programming was largely ineffective, because programmers had no way of measuring their mastery. Most teachers offered general rules but rarely reinforced the training with hands-on exercises focused on finding ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
and fixing errors in code. The programmers listened, thought they understood, then went back to work and made many of the same mistakes they had made before the training.
In the past six months, more than 120 organizations have established a common definition of the rules and best practices in secure programming (in four sets of languages: C/C++, Perl/PHP, Java/J2EE, .NET/ASP) and helped to build a Secure Programming Assessment examination that allows programmers and their employers (and customers) know whether they have mastered the critical elements of secure coding. Information on the exam is available at www.sans.org/spa.
Just the promise of the exam has already begun to affect the content and effectiveness of secure programming training. Instructors have begun adding hands-on exercises and their students are paying a lot more attention because they know they will be tested. Even more importantly, the exam is being used by faculty at universities and community colleges to justify integrating secure coding training into the core curriculum. They don't want to be embarrassed when employers hire their graduates and learn that the programmers don't know how to write secure code.
At the same time, organizations that buy software intend to use the exam to find out whether the consultants and software companies have programmers who know the common security weaknesses in programs and how to find and fix them.
|
 |
|
