• No results found

It s time we addressed the holes in software development.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "It s time we addressed the holes in software development."

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

It’s time we addressed the holes

in software development.

(2)

WHAT HOLES?

No security built in, that’s the hole, the flaw and it’s huge. David Rice, esteemed author of “Geekonomics: The Real Cost of Insecure Software”, puts the total cost of security holes in software at around 180 billion U.S. Dollars a year.

The combined losses are so enormous, they are virtually unquantifiable. Fines against organizations that have experienced breaches because of insecure software alone have reached astronomical amounts. Factor in that more than 226 million records have been disclosed or breached since 2005. Then multiply by the reputation damage to violated companies and the subsequent loss of customer trust, and you get a sense of the enormity of the problem.

Consumer, government, education, healthcare, banking, retail, wholesale, insurance, the media – each has experienced some kind of data breach, with disastrous results. No one is immune.

It’s almost an understatement to say that today’s applications – operating in increasingly hostile environments, and faced with mounting regulatory and compliance requirements – should be secure.

PROBLEM: LACK OF SECURITY.

SOLUTION: FINDING WAYS TO FILL THE HOLES. We should be thinking about security now, not as an afterthought.

Any organization directly involved in software development needs to incorporate security controls, and not just as an add on or a patch but rather, throughout the entire software lifecycle – from concept and planning through operations and maintenance, to the ultimate disposal.

No question – insecure software provides vulnerabilities that are easily exploited. The entire development team needs to embrace security. Every member needs to adopt a mindset which proclaims security first, security last and security in between.

Confidentiality, integrity, availability, authentication, authorization and auditing - the core tenets of security - must become requirements in the software lifecycle. Without this level of commitment, you place information at risk. Incorporating security early and maintaining it throughout all the different phases of the software lifecycle has been proven to be 30-100 times less expensive and incalculably more effective than wrenching security into an operational system.

Simply stated, what we’re talking about is requiring all software lifecycle stakeholders to understand the importance of the role they play and to act accordingly. And that means clients, business analysts, requirements analysts, THE PROBLEM

Security is not being addressed from a holistic perspective throughout the software lifecycle. Some 80% of all security breaches are application related. Every person involved should consider security as an essential element.

THE SOLUTION

Professional Certification – with CSSLPCM, we will establish an industry standard and instill best practices.

(3)

Software Lifecycle Stakeholder Chart

Top Management Auditors Client Side PM Industry Group Delivery Heads Business Analysts Quality Assurance Managers Technical Architects Project Managers Team Leads Developers & Coders Application Owners Security Specialists IT Manager

Software

Lifecycle

Stakeholders

Business Unit Heads

(4)

The following domains make up the CSSLP CBK®. We created them around the specific need for building security into the SDLC.

Secure Software Concepts - security implications in software development

Secure Software Requirements - capturing security requirements in the requirements gathering phase Secure Software Design - translating security requirements into application design elements Secure Software Implementation / Coding - unit testing for security functionality and resiliency to attack, and developing secure code and exploit mitigation

Secure Software Testing - integrated QA testing for security functionality and resiliency to attack Software Acceptance - security implication in the software acceptance phase

Software Deployment, Operations, Maintenance and Disposal - security issues around steady state operations and management of software product managers, project managers, software engineers, designers, architects,

development managers, developers (coders), testers and operations personnel operating in tandem to layer defensive measures, till they’ve created an impenetrable barrier to those who would violate their software.

WHY ISN’T EVERYONE DOING IT?

Research indicates that one of the reasons security vulnerabilities find their way into software applications is because lifecycle influencers simply think it’s too expensive and time-consuming. But studies prove that the cost of dealing with security problems is infinitely more expensive than preventing them.

Some blame constraints in project scope, schedule and budget when asked why they left security requirements out.

Still others, clients and business units for example, express exasperation over an inability to adequately articulate the security requirements to IT teams who, in turn, aren’t trained to ask for security requirements, or translate the functional requirements into security requirements.

However, when confronted with well-documented irrefutable evidence that building in security saves money, those who make excuses quickly change their tune.

(ISC)2® INTRODUCES SECURITY THROUGH CERTIFICATION

Awareness is all well and good. Awareness might instantly turn every software lifecycle influencer into a security evangelist, but it won’t fix the problem. Certification will provide an objective measure of knowledge, skills and abilities. Education will provide an effective means to impart the know-how.

What exactly does software certification promise? Actually, the National Institute of Standards and Technology states it better than we ever could. This venerable body maintains that security certification “ensures controls are effectively implemented through established verification techniques and procedures, giving organization officials confidence that the appropriate safeguards and countermeasures are in place as means of protection.”

Confidence. Indeed, that’s the ultimate benefit. At (ISC)2, our quest to instill

confidence drove us to develop the Certified Secure Software Lifecycle Professional (CSSLPCM) certification program, the most comprehensive software

security certification in the industry.

It is category-defining. It will show software lifecycle stakeholders not only how to implement security, but how to glean security requirements, design, architect, test and deploy secure software.

(5)

Let it be known that (ISC)2 ®, as the not-for-profit global leader in educating and

certifying information security professionals throughout their careers, is addressing the holes in software development head on.

CSSLPCM IS HOLISTIC - CONSIDER NOTHING LESS

At (ISC)2, our software security certification program is poised to make an

enormous impact. In part because it’s the only certification in the industry that ensures that security is considered throughout the entire software lifecycle. Providing a CBK® that is destined to become the industry standard, is the

foundation of (ISC)2’s reputation in security.

First, CSSLP is not just a test or a course like some certifications. Based on the (ISC)2 CSSLP CBK it is a comprehensive program that evolves as the security

landscape evolves. A program that requires Continuing Professional Education (CPEs) allowing you to stay on top of security issues. “What’s secure today may not be secure tomorrow. “ This is our program’s mantra. It’s what drives us to keep CSSLP CBK and certification program relevant and dangerously effective. Second, our education seminars cover all seven CSSLP CBK domains included in the exam which we’ll offer beginning in early 2009. Trust that through our program you’ll get the most comprehensive education available on providing security throughout the software lifecycle.

Ours is a holistic approach to security in the software lifecycle. CSSLP smoothly addresses everything the software lifecycle stakeholder needs to know.

THE HOLE WILL NOT FILL ITSELF, SO SIGN UP FOR CSSLP TODAY.

In the end, you have to ask yourself, who will build security into the software lifecycle? Who will assure your clients that their software will be free of holes? It’s qualified people who are empowered with the knowledge that the CSSLP

program can give them… YOU. Call 1.866.462.4777 or visit www.isc2.org/csslp today.

CSSLP FACTS

Certification Process:

• Subscribe to the (ISC)2 Code of Ethics • Provide proof of four years in the SDLC process or 3 years plus a bachelors degree or regional equivalent in an IT discipline • Submit Experience Assessment essays or pass examination

• Complete the endorsement process

Experience Assessment Window:

• October 2008 – March 2009 • Standard Fee: US$650

CSSLP CBK Education Program:

• Standard Registration Fee: US$2499 • Education Program Registration begins February 1, 2009

Examination Process:

• Standard registration fee: US$599 • Annual maintenance fee: US$100 • Exam registration begins February 1, 2009

Recertification Requirements:

• Recertification required every three years • Earn 90 Continuing Professional Education (CPE) credits (minimum 15 CPEs earned each year) • Pay annual maintenance fees

(6)

References

Download now ( PDF - 6 Page - 579.00 KB )

Related documents

SERVICE QUALITY AND CUSTOMER SATISFACTION IN THE CELLULAR TELECOMMUNICATION SERVICE PROVIDER IN MALAYSIA

The author presented a situation that service quality is a focused evaluation that reflects the customer’s perception of reliability, assurance, responsiveness,

Audience-Specific Online Gatekeeper Training for Nursing Faculty: A Response to Increased Student Suicide Risk

The program trained participants as gatekeepers utilizing Question, Persuade, Refer (QPR) strategies and incorporated audience- specific information related to suicide risk in

Revolutionizing a bank Introducing service mesh and a secure container platform in a brownfield organization

OBSERVABILITY APPLICATION DEFINITION & DEVELOPMENT ORCHESTRATION & MANAGEMENT PROVISIONING INFRASTRUCTURE CHAOS ENGINEERING.. OBSERVABILITY APPLICATION DEFINITION &

Gridlock, innovation and resilience in global health governance.

Type of governance innovation HIV/AIDS Ebola AMR General/Other Creation of new institutions and governance arrangements New institutions and partnerships : UNAIDS, GFATM, Unitaid PDPs

ALINTA ENERGY (ALTN)

The MEP must provide the registry manager with the required metering information for each metering installation the MEP is responsible for, and update the registry metering records

APPLICATION FOR THE 2008 LARRY L. SAUTTER AWARD UNIVERSITY OF CALIFORNIA

The process improvements has resulted in reduced time for policy compliance review and expense report preparation, eliminated delays due to paper routing, ability to view and

INVOLUNTARY CIVIL COMMITMENTS RESOURCE BINDER

N.J.S.A. 30:4-27.4 provides that the Commissioner of Human Services shall designate one or more mental health agencies or facilities in each county or multi-county region in the

Students Difficulties of Solving Inequalities in Calculus

Similarly, inequality solutions are required to determine the monotonicity and concavity of functions by the use of derivative (Sandor 1997).. E-mail address: