Risk Assessment From the
Outside In"> Indeed, a risk assessment should factor in the potential damage of information disclosure either in the form of fines or the loss of customer confidence. And this assessment should be shared with executives, project managers and developers in ways that each group can understand and act on. MasterCards Stanley is a proponent of using outside labs to test the security of the deviceshardware and softwareused around the globe to authenticate credit card holders. "We are dealing with 23,000 banks, thousands of processors and 30 to 40 million different merchants on a wide range of platforms," he said. "We need people who can test the hardware and software."Coffee added that many companies would do well to seek the services of a consultancy focused on security, spreading the development load. "There is no reason to bear the burden of developing and maintaining the skill set for your company when it can be more efficiently leveraged across multiple clients of a security assessment firm," he said. While Stanley wouldnt say how much the organizations secure software assessment program costs, he did offer a cost guideline. The process of gaining formal software security assurance for an applicationsuch as the Common Criteria assurance, a set of IT requirements distilled from U.S., Canadian and European agencieswill likely cost as much as the development of the application and will likely double the time frame for application delivery. According to Stanley, it takes three to five years to put an effective software security assurance program in place. The trick is to balance resources and riskno easy task, according to Cigitals McGraw. "We need to figure out how to still produce code and still earn revenue while also balancing out the security equation," he said. "Its a question of risk management." Qualcomms Rose is looking to automation to help his company achieve this balance. "The idea is to improve our software development process to the point where its just automatic that security issues are taken care of, and wed like to meet that goal in the next couple of years," he said. There are several automated code checking tools available to aid developers in their security quest, and many are now available as services. Compuware, for example, offers two days of on-site code checking services using its DevPartner SecurityChecker 2.0 for $6,000a price that allows even smaller, resource-strapped companies to avail themselves of this type of service. Read more here about DevPartner SecurityChecker 2.0. Part of improving the software development process is opening it up to all vested parties. Company executives will require a well-documented impact report that details the costs associated with a software breach. Development project managers and other middle-management groupsacknowledged by all the experts we spoke to as the hardest group to reachwill be swayed by peer comparisons such as reports that show the number and cost of security errors compared by project. Regardless of which tools or services are selected, all the experts we spoke with agreed that awareness and commitment are needed at all levels of the organization to ensure that security is a core component of any new application. E-mail Technical Director Cameron Sturdevant at email@example.com. Check out eWEEK.coms for the latest news, reviews and analysis in programming environments and developer tools.
But who tests the code testers? Click here to read more.