January 27, 2006

Code Scanning Tools Do Not Make Software Secure

Michael Howard has an excellent post on how code Scanning tools do not make software secure. I think he had an interesting formula that sums it up:

"Not-so-knowledgeable-developer" + great tools == marginally more secure code

Running static analysis tools won't alone make your code secure. But its a great asset in your arsenal of tools to use alongside of secure programming principles and practices.

I think he hit it out of the ball park with this comment:

Creating secure software requires having an executive mandated, end-to-end process requiring on-going education, secure design based on threats, secure coding policy and testing policy, penetration and fuzz testing focused on new and old code, a credible response process and finally a feedback loop to learn from mistakes.

Yep. That's exactly it. Security is a process that has to have buy in from the top down, all the way from the CEO to the junior programmer. It has to be part of your software development lifecycle and has to accepted by all.

But great tools don't hurt!

Posted by SilverStr at January 27, 2006 12:41 PM | TrackBack
Comments

Code scanning tools have one sainted purpose - they prevent you from making the same old mistake over again.

Posted by: Alun Jones at January 27, 2006 01:38 PM

poker online casino http: download online poker http://xluk.com/poker/instant_loan_online_poker.html free money online poker free online poker school http://xluk.com/poker/how_to_cheat_at_online_poker.html and .... online strip poker games free poker calculator if you sign up for online poker http://xluk.com/poker/play_pai_gow_poker_online.html play online poker online poker gaming liscense http://xluk.com/poker/cheating_online_poker_free.html poker online tournament online poker player http://xluk.com/poker/free_online_multi_hand_poker.html .Thanks.

Posted by: developer online poker software at February 3, 2006 02:45 AM
Post a comment









Remember personal info?