What 2008 may bring…

Dec 8th, 2007

Comments: 0
Category: Software Security

What 2008 may bring…

Well as is kinda traditional in December various security bloggers have started predicting what 2008 will bring (there’s some interesting thoughts and and links to more predictions here).
For my 0.02 of your local currency, I think that next years big topic will be Software Security. A lot of the things we’re seeing happen in the security market around exploding vulnerability metrics and malware all come ultimately down to poor software design and development.
Now the industries reaction to this so far seems to be “here’s another device for your network to help deal with this”. Not surprisingly this isn’t a tenable long term strategy as you can’t just keep layering on boxes before things start breaking.
Also if you look at the Jericho concepts a key message is that systems have to be able to survive on their own without relying on an ever decreasing “perimeter”. Well in order to survive you’ve got to be well designed/written. The model of hiding all your extremely vulnerable applications behind a big set of perimeter security devices won’t work in the future.
So what does this software security trend going to look like in terms of markets…? Well I’d say that companies like Veracode, Fortify and Ounce Labs will do well over the coming year although perhaps for different reasons.
Veracodes service sounds like it could be really useful in starting to answer the hard question “How do I know this software I’m buying is secure?”. Traditionally the most that was done was a black-box pen test of such software, and as people know black-box penetration testing is a lousy way to assure the security of anything.
Fortify and Ounce make products which can help companies integrate security focused source code analysis into companies development processes. I don’t think that many companies have the business model that allows for the cost of a complete manual review of their codebases, so tools are necessary here to help the process scale.
Of course no product is going to solve this sort of problem alone, so I’d hope to see more output along the lines of some of the OWASP projects, giving guidance on the design side aspect of producing secure software…

Add a comment

Your email address will not be shared or published. Required fields are marked *