Have you performed code analysis on your software recently? If not, you are in good company as many companies are failing to do the one thing that could improve their software security – making sure the software isn’t vulnerable to an attack to begin with.
In a recent contribution to Forbes.com, James Lyne, Global Head of Security Research for Sophos, takes to task the multitude of organizations that have characterized recent breaches of their security as having been “sophisticated attacks” or ““an APT, or Advanced Persistent Threat.” He points out that in many of these cases, the claims of sophistication are just saving face – companies unwilling to admit that they left an open gateway through which hackers could enter…or as he put it, “it certainly sounds better than ‘we got hacked, we had a file called passwords.txt. Oops!’”
He goes on to point out that, “There is no 100% in security, but the sad reality is many organizations being breached are failing to implement basic security controls and are trampled by entirely preventable malicious code.”
His analysis is truer than one would care to think.
One thing most security breaches have in common is that they were the result of some application quality defect that served as a point of vulnerability. If that vulnerability didn’t exist, then it stands to reason that any attack that would have slipped through the “human” layer of defense would likely have been thwarted.
Evaluating an application for its structural quality defects is critical since these defects are difficult to detect through standard testing. Nevertheless, these are the defects most likely to cause security breaches by unauthorized users.
A company that truly wants to address a potential security breach should first perform a code analysis on the applications in its IT system to find which of them have issues with structural quality that could have been the breaching point (or points). Most companies historically have avoided doing this because all they had available to them was either manual testing – which is grossly inefficient in terms of accuracy, cost and time investment – or comprehensive analysis platforms that only large enterprises could afford.
Today, however, there are automated analysis and measurement tools on the market offered via Software as a Service (SaaS), which makes it cost-effective and much easier to utilize code analysis to find application vulnerabilities in an IT system. In fact, with these SaaS versions of automated analysis and measurement on the market, finding vulnerabilities should probably be bumped in priority to BEFORE a breach happens.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.