Today, computer security is the fastest growing area in software
industry. With more hackers, cyber attack, cyber crimes, computer
viruses, industrial espionage, identity theft, and fraud, security is
becoming more important than ever. As Information Technology (IT)
systems grow larger and more complex, they require more sophisticated
security systems.
Contradict to many beliefs, security is NOT a product you could buy
and add to a system. It should be an integrated part of the system when
it is built. Of course, you could fix security deficiencies after the
system is built but it would cost you more and nobody could guarantee
that all deficiencies are fixed. The security of an IT system depends on
the design of the system so it is best to build security in when you
design the system. The question is how many students are taught about
security in the design course? How many schools have security course in
their curriculum? Even in programming course, how many students are
taught that coding is the fundamental for security? A lack of security
knowledge can create many security deficiencies in code. For example the
most common mistake is stack overflow where hackers can take advantage
to seize control of the system. Today with more computer users all over
the world, how many are taught to follow certain necessary caution? Even
when you have strong password, good firewall, install security software
but most hackers know how to by-pass them. You can defense your system
to some degrees but new threats come in all the time so you must keep up
with all current developments. You need to use preventative means for
known risks and be ready to deal with new ones. As soon as a new
security threat is detected, it needs to be secured immediately. That is
what software security updates and patches do. As soon as some
vulnerability is reported or detected, a company task force will find a
way to repair it. Although these patches are necessary, they could be a
security risk themselves too. Patches could point out directly where the
weaknesses are and hackers would then exploit them. It always takes a
while until everyone has updated the software and many may never do it
unless it is too late.
When it comes to design a secured IT system, security must be taken
in consideration with the whole software development life cycle. The key
concept is that you identify security risks early in the system under
development and fix them so you can have high quality security. As
developers, you need to see that security requirements are clearly
defined for the system during the requirements phase. During
requirements review, you must check to see if the system is adequately
defined with security in mind. Many customers only know how to require
certain functions but do not know about security so it is important for
the technical leader to come up with new security requirements for the
system. During design phase you must make sure that security is part of
the design and during implementation phase, you must follow guidelines
for secure coding and perform all the tests accordingly. Because
security testing has usually been considered as non-functional tests. As
with most non-functional tests, these testing are performed at the last
part of development after everything else. The consequence is that many
security defects which could be detected and fixed early, go easily
through development stages until the last part of development. The risk
is at that time, most developers and testers are exhausted and time is
running out, so many skip these tests. Many users did not check
carefully on security issue when they receive the software product. As
long as the software does what they need and run well, then they are
happy with it. That is why today, most software is vulnerable for
hackers to attack.
With outsourcing, software development is divided to many teams, team
members can be split anywhere in the world. If the test data contain
private information, proprietary data then manager must make sure that
they are not sent unprotected from one place to another. However, many
managers and developers are not trained in security and do not know how
to distinguish them. The Internet can be easily contaminated so if you
use Internet as a part of your test environment, you must make sure that
all communication lines are secured; try to keep it as much as possible
inside the corporate networks, use VPN, SSL-secured links or encryption
depending on the situation.
Today, many people use Laptops. They are used in the secure company
network, and then are used outside in some wireless network at an
internet coffee shop, airport or home with much less security. The risk
of contamination is overwhelming if your computer is not properly
protected. A contaminated computer can comes back in the secure network
then endangering the whole network. A small program that captures and
transmits information without being discovered can sneak in this
computer; the whole network can be endangered, since it might take a
while to be detected. This causes a security hole in the entire company
network.
It is important for all developers to learn about security risks and
how to fight them. It is important to follow a security procedures and
rigorous testing in all software throughout the development phases. Only
by awareness, we can prevent damages caused by hackers.
0 comments:
Post a Comment