Risk Assessment From the

By Cameron Sturdevant  |  Posted 2006-03-07 Print this article Print

Outside In"> Indeed, a risk assessment should factor in the potential damage of information disclosure either in the form of fines or the loss of customer confidence. And this assessment should be shared with executives, project managers and developers in ways that each group can understand and act on.

MasterCards Stanley is a proponent of using outside labs to test the security of the devices—hardware and software—used around the globe to authenticate credit card holders. "We are dealing with 23,000 banks, thousands of processors and 30 to 40 million different merchants on a wide range of platforms," he said. "We need people who can test the hardware and software."

But who tests the code testers? Click here to read more.
Coffee added that many companies would do well to seek the services of a consultancy focused on security, spreading the development load. "There is no reason to bear the burden of developing and maintaining the skill set for your company when it can be more efficiently leveraged across multiple clients of a security assessment firm," he said.

While Stanley wouldnt say how much the organizations secure software assessment program costs, he did offer a cost guideline. The process of gaining formal software security assurance for an application—such as the Common Criteria assurance, a set of IT requirements distilled from U.S., Canadian and European agencies—will likely cost as much as the development of the application and will likely double the time frame for application delivery. According to Stanley, it takes three to five years to put an effective software security assurance program in place.

The trick is to balance resources and risk—no easy task, according to Cigitals McGraw. "We need to figure out how to still produce code and still earn revenue while also balancing out the security equation," he said. "Its a question of risk management."

Qualcomms Rose is looking to automation to help his company achieve this balance. "The idea is to improve our software development process to the point where its just automatic that security issues are taken care of, and wed like to meet that goal in the next couple of years," he said.

There are several automated code checking tools available to aid developers in their security quest, and many are now available as services. Compuware, for example, offers two days of on-site code checking services using its DevPartner SecurityChecker 2.0 for $6,000—a price that allows even smaller, resource-strapped companies to avail themselves of this type of service.

Read more here about DevPartner SecurityChecker 2.0. Part of improving the software development process is opening it up to all vested parties. Company executives will require a well-documented impact report that details the costs associated with a software breach. Development project managers and other middle-management groups—acknowledged by all the experts we spoke to as the hardest group to reach—will be swayed by peer comparisons such as reports that show the number and cost of security errors compared by project.

Regardless of which tools or services are selected, all the experts we spoke with agreed that awareness and commitment are needed at all levels of the organization to ensure that security is a core component of any new application.

E-mail Technical Director Cameron Sturdevant at cameron_sturdevant@ziffdavis.com.

Check out eWEEK.coms for the latest news, reviews and analysis in programming environments and developer tools.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel