Although information security has traditionally emphasized system-level access controls, the security professional needs to ensure that the focus of the enterprise security architecture includes applications because many information security incidents now involve software vulnerabilities in one form or another. Application vulnerabilities also allow an entry point to attack systems, sometimes at a very deep level. (Web application vulnerabilities have been frequently used in this manner.) Malware is much more than a mere nuisance: It is now a major security risk faced by every enterprise that connects to external networks and allows external data to be ported to their internal systems in some form.
Development of in-house systems, commercial and off-the-shelf software, and controls on the choice, maintenance, and configuration of applications must be given greater attention than has been the case in the past. Unfortunately, at the same time, too few security professionals have a significant programming or systems development background. In addition, training in programming and development tends to emphasize speed and productivity over quality, let alone considerations of security. From the perspective of many developers, security is an impediment and a roadblock. This perception is changing, and in the current development environment, the security professional needs to take care not to be seen as a problem to be avoided.
When examined, most major incidents, breaches, and outages will be found to involve software vulnerabilities. Software continues to grow increasingly larger and more complex with each release. In addition, software is becoming standardized, both in terms of the programs and code used as well as the protocols and interfaces involved. Although this provides benefits in training and productivity, it also means that a troublesome characteristic may affect the computing and business environment quite broadly. Also, legacy code and design decisions taken decades ago are still involved in current systems and interact with new technologies and operations in ways that may open up additional vulnerabilities that the security professional may, or may not, even be aware of.
Consult your syllabus and complete your reading assignment for this week. Then, research ANU’s online library for a peer-reviewed, scholarly article that is no more than 2 years old that deals with one or more concepts covered in your reading assignment.
Summarize the article in your own words, as well as what you learned from it. Then, consult your prior assignments, and discuss how this article fits into the overall landscape of what was covered in Chapters 1-9.
Please note this assignment will be run through Turnitin. Format your assignment using APA standards and attribute all sources.
The post Security in the Software Development Life Cycle first appeared on Ehomeworker.