News

RSA: Hackers Shifting Focus to App Software

Writing more secure software is not a simple task, but it can and should be done for applications, experts say.

"The guys who write systems are pushing their people to write secure software," said Alan Paller, director of research for the SANS Institute. "But the application people have never done that."

As operating systems have become less easy to attack, those writing malicious code are turning more of their attention to applications. Paller said that 90 percent of new hacking tools target applications, a significant increase in the last year.

Paller is not alone in his concerns.

"I share the frustration of the rest of the IT and business worlds that more progress hasn't been made in having sound, secure software," said W. Hord Tipton, executive director of the International Information Systems Security Certification Consortium and a former Interior Department CIO. "We seem to be losing ground."

Not that there are not some areas for hope. "It's extremely spotty," Paller said. "But it's gaining extraordinary ground in the spots." As a nation overall, however, "we suck," he said.

Paller and Tipton are among a panel of experts discussing the challenges of software assurance at the RSA security conference. The security (or insecurity) of applications is a growing concern. A recent study of 200 businesses by Forrester commissioned by Veracode Inc. found that 62 percent had experienced a security breach in the last year because of vulnerabilities in critical software applications. Despite the size of the security hole this represents, only 13 percent of respondents said they knew the security quality of their critical applications, and only 34 percent had a comprehensive software development life cycle process integrating application security.

Tools are available to help with software assurance. IBM Corp. is announcing at RSA this week that its Rational AppScan product now will incorporate the ability to recognize malicious code in program as well as scan for vulnerabilities.

The company's Rational product line is a platform for software development and delivery, and allows code to be evaluated in the production environment as well as during the development phase. A fourfold increase in the amount of malicious code being found in legitimate Web sites in the last year has created a demand for the capability to discover malicious code, said Danny Allan, director of security research for IBM Rational. An estimated 80 percent of malicious code is being delivered through legitimate Web sites where it has been placed surreptitiously.

About the Author

William Jackson is the senior writer for Government Computer News (GCN.com).

comments powered by Disqus

Featured

  • VS Code Now Has Apple Silicon Builds for Native Mac Development

    Goodbye Rosetta, hello M1. Visual Studio Code has been updated with new builds that let it run natively on machines with Apple Silicon (M1), the company's own ARM64 chips.

  • Visual Studio 2019 for Mac v8.9 Ships with .NET 6 Preview 1 Support

    During its Ignite 2021 online event for IT pros and developers this week, Microsoft shipped Visual Studio 2019 for Mac v8.9, arriving with out-of-the-box support for .NET 6 Preview 1, which the company also released recently.

  • Analyst: TypeScript Now Firmly in Top 10 Echelon (Ruby, Not So Much)

    RedMonk analyst Stephen O'Grady believes TypeScript has achieved the rare feat of firmly ensconcing itself into the top 10 echelon of his ranking, now questioning how high it might go.

  • Black White Wave IMage

    Neural Regression Using PyTorch: Training

    The goal of a regression problem is to predict a single numeric value, for example, predicting the annual revenue of a new restaurant based on variables such as menu prices, number of tables, location and so on.

Upcoming Events