Secure Your Code
Microsoft technical fellow Michael Howard has probably forgotten more about
secure software development than you or I will ever know. During a recent interview,
the man behind Microsoft's strategic Security Development Lifecycle (SDL) program
and the co-author of the book
Writing
Secure Code told me that young programmers entering the industry are
simply not being trained about security issues.
"Really good software engineering skills are in incredibly short supply.
We see that when we hire engineers out of school. They know nothing about building
secure software," Howard told me. "They don't know the issues -- it's
as simple as that. They don't understand the issues."
This is a lament I've heard before, and one that extends forward to deep concerns
about the general state of corporate software development. Internal development
shops are simply not doing enough to harden their code, particularly in an era
when attacks are increasingly moving to the application layer.
Howard points a finger at universities that fail to integrate security concepts
into their computer science curricula. He also singles out corporate development
shops for failing to address secure development concepts, both from a training
and operational standpoint. And that's not the worst of it, says Howard.
"You know, the most dangerous thing is the number of people who think
they know how to build secure software, when they don't. That's the scary thing,"
he said.
Is Michael Howard on to something? Tell us what your company is doing to secure
code against attacks and vulnerabilities, and how flawed development might have
helped create a crisis in the past. Write me at [email protected].
Posted by Michael Desmond on 04/25/2007