Enterprise software security assessment

Main Menu

Site Search

Threat modeling tools

Download a free copy of PTA: the world's most popular threat modeling tool with over 15,000 users world-wide

PDF

| Print |

E-mail

the problem: Defective software is insecure software

Insecure software is a major factor in internal/external fraud

This seemingly obvious observation is graphically borne out in a research study we performed that analyzed a sample of 167 customer data breaches.^¹ Based on data provided by the Privacy Rights Clearinghouse,^² the study classified each event according to attack method, attacker and vulnerability exploited.

A conservative estimate showed that 49% of the events exploited software defects as shown in the below table. Theoretically we can mitigate half of the risk by removing software defects in existing applications. The question, which we will answer later, is how.

1 2005 Breach Analysis, April 2006 http://www.software.co.il/downloads/breachAnalysis2005.xls

2 Privacy Rights Clearinghouse, http://www.privacyrights.org/

The Carnegie Mellon Software Engineering Institute (SEI) reports that 90 percent of all software vulnerabilities are due to well-known defect types (for example using a hard coded server password or writing temporary work files with world read privileges). All of the SANS Top 20 Internet Security vulnerabilities are the result of “poor coding, testing and sloppy software engineering”

See “Developing Secure Software, Noopur Davis, http://www.softwaretechnews.com/stn8-2/noopur.html .

Do organizations really want to improve production software quality?

Let’s examine commitment to quality at three levels in an organization: end-users, development managers and top executives.

Users are conditioned to accept unreliable software on their desktop and development managers are inclined to accept faulty software as a trade-off to meeting a development schedule.

Executives, while committed to quality of their own products and services, do not find security breaches sufficient reason to become security leaders with their enterprise systems because:

They usually receive conflicting proposals for new information security initiatives with weak or missing financial justifications.
The recommended security initiatives often disrupt the business.

Move now and do something about it?

We are confident we can help your organization improve enterprise software application quality and reduce security vulnerabilities.

Next >

Software Associates - Business security specialists for hi-tech firms