Sign In

Communications of the ACM

ACM TechNews

Why Can't Johnny Develop Secure Software?

View as: Print Mobile App Share:

Despite a wealth of security knowledge and developers' access to advanced tools, many software security risks remain. Analysts say that vulnerabilities arise because many software developers do not understand how to build security into their code. "There's a lot more acceptance of security as part of the process now, but historically developers have never been responsible for security," says Fortify chief scientist Brian Chess.

Although there have been several initiatives aimed at educating developers about secure software development practices, "the talent coming out of schools right now doesn't have the security knowledge it needs," says SAFECode executive director Paul Kurtz.

Some organizations are implementing secure development frameworks, such as the Building Security In Maturity Model (BSIMM), which impose secure best practices throughout the entire development team. "BSIMM is a good strategy if you have a formalized software development process," Chess says. The goal of the frameworks is to help developers identify and remediate the most common coding errors and fix them during development, rather than waiting until after the code is complete.

From Dark Reading
View Full Article


Abstracts Copyright © 2010 Information Inc., Bethesda, Maryland, USA


No entries found