If you’re tasked with managing digital security anywhere at all, I feel bad for you. It’s a tough row to hoe. First, new attacks are born, evolved or even reborn daily. Hourly. Commercial antivirus and anti-malware products are for the most part useless against the actual, real danger of unknown exploits in the wild.
So the deck is stacked against you right from the start. On top of that, you’ve got an ecosystem of “tools” and “systems” that are supposedly designed to keep your applications and websites safe, but in fact do almost nothing. I’m not talking about firewalls, IDS and IPS systems. I’m talking about the more holistic aides for sale on the marketplace.
I’m talking about, basically, everything mentioned in Troy Hunt’s blog post. Read it over; it could be a great way for you to win some arguments with whoever’s buying security software in your organization.
Behind all of this, however, is the underlying problem of software: It’s tough to write. Most of the folks you have writing code for you on a daily basis probably aren’t expecting to win any medals, or to impress Knuth with their day-to-day code. They probably only focus on a few things while coding: Will this break the build? Will this fix the problem? Can I check in this code without being fired?
“Is this secure code?” is probably the last thing on your workhorse coders’ minds. The only real way to ensure it’s at the top of their priority list is to train them extensively on what insecure code looks like; train them to cringe and feel dirty whenever they don’t limit the length of their strings, for instance.
Fortunately, there are plenty of great tools for ensuring security at a software level. There are tools that scan code for overflows and such, like Veracode, Fortify, and Coverity. Elsewhere, existing tools like Clang and FindBugs are open source and free to use.
And if encryption is your thing, IBM just released its Homomorphic Encryption Library onto GitHub. Now, go lock some things up.