By David Worthington | Friday, April 24, 2009 at 4:56 pm
For a story I wrote for SD Times, I asked leading software makers to tell me about the processes they use to develop secure software–and found that most were unwilling to discuss the subject. Some companies will provide specious reasons for not being transparent, including the notion of providing customers with “security through obscurity,’ but I believe that many are simply fearful of appearing disorganized and unconcerned.
How software is designed affects your safety, financial security, and privacy. Poorly-designed software has reportedly enabled foreign intelligence agencies to violate vital infrastructure in the United States (and presumably elsewhere), and it enables those with the know-how to get at your personal information on your own computer.
Consensus is that it is more effective to design software to be as secure as possible as early as possible in its development life cycle. Microsoft and other leading software companies have changed how they develop software to make security a requirement; consequently, vulnerabilities in Microsoft software are down dramatically.
Microsoft now shares its blueprint for developing software with its customers, and has begun to provide developers with free security tools that it uses internally. It did so because its knows that hackers are targeting applications that run on its platform, including third-party ones, as its hardens Windows with additional security.
If Microsoft is rising to the challenge, the other major software makers must be too, right? Wrong. I contacted over 20 leading companies including Apple, IBM, Nokia, Yahoo, only to be largely ignored. Include open source groups in that count. If those companies won’t be transparent, how can you trust the software that powers your cell phone, or stores your financial information?
Believe it or not, I am being told that many companies, including competitors, are asking Microsoft for advice or are simply copying its methods. That’s both encouraging and disappointing.
Some of those companies may be doing the right things, but I’m not encouraged by their silence. Software makers may do security testing after software is developed, or in bits and pieces, lacking a unified, company-wide strategy. However, security cannot be an afterthought, and there is no excuse for the industry to continue place its customers at risk.