Sign In

Communications of the ACM

ACM TechNews

Why Can't Johnny Develop Secure Software?


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook

Despite a wealth of security knowledge and developers' access to advanced tools, many software security risks remain. Analysts say that vulnerabilities arise because many software developers do not understand how to build security into their code. "There's a lot more acceptance of security as part of the process now, but historically developers have never been responsible for security," says Fortify chief scientist Brian Chess.

Although there have been several initiatives aimed at educating developers about secure software development practices, "the talent coming out of schools right now doesn't have the security knowledge it needs," says SAFECode executive director Paul Kurtz.

Some organizations are implementing secure development frameworks, such as the Building Security In Maturity Model (BSIMM), which impose secure best practices throughout the entire development team. "BSIMM is a good strategy if you have a formalized software development process," Chess says. The goal of the frameworks is to help developers identify and remediate the most common coding errors and fix them during development, rather than waiting until after the code is complete.

From Dark Reading
View Full Article

 

Abstracts Copyright © 2010 Information Inc., Bethesda, Maryland, USA


 

No entries found