As Gary McGraw mentioned in his [In]-Security column this month, every enterprise depends on software. On the one hand, this is merely stating the obvious. Software carries out the processes, enforcing the rules that reflect the business purpose. Each company tries its best to select or develop software that best enables it to carry out its organizational mission.
On the other hand, the primary role of software begs to question why so little attention is paid to software security. Historically, security has tried to protect software from itself; building a firewall perimeter around it, watching for telltale symptoms in the network packet stream that might indicate an application attack, and by locking down privileges so only authorized people can direct requests to the software in the first place.
McGraw argued that we should take the time to consider whether our software is unacceptably buggy from a security point of view. We should take a crack at it using the “badness-ometer.”
That seems reasonable, but only a portion of the security community seems to be considering this approach. We recently fielded a large-scale survey of our Information Security magazine readers to gauge their security priorities for this year. Among other things, we learned: Forty-eight percent of respondents said their organizations have no plans to evaluate the source code of the software they use.
There does, however, seem to be some traction behind the use of firewalls that are specifically aware of which traffic is headed to which application. Roughly half of the respondents reported at least some use of these next-gen firewalls. There’s plenty more to be learned about what your security peers are up to in our coverage of the survey.
We asked more questions than we could fit into our feature coverage of the survey. A couple facts that I found interesting—even though they didn’t make the feature: Network vulnerability scanning and patch management are used twice as often as pen testing. Among our North American respondents, 61% said they use network scanning, 63% use patch management tools, and only 29% said they use pen testing.
We didn’t ask about it in the survey (there’s always next year!), but it doesn’t appear that most organizations are paying much attention to security risks in hardware either—have a look at Joel Snyder’s China Syndrome story for a thought-provoking consideration of the role China plays in the global IT supply chain.
And the hardware isn’t always selected by the IT department anymore. As Lisa Phifer’s feature noted, the adoption of bring your own device (BYOD) has reached upward of 40%. Clearly our world is increasingly filled with devices assembled in other, possibly hostile, countries, selected by our users based on features and favorite colors, added by way of insecure wireless networks to our infrastructures, running software that has—in most instances—not been properly vetted to ensure it’s even minimally hardened. One could look at the situation and feel a little overwhelmed, but I prefer to draw the obvious conclusion: Security remains fun!