After a very mild winter this year, the Northeast part of the country found itself stuck in a prolonged “early spring” where it seemed like but for a couple of days temperatures refused to warm up from the 40’s and 50’s. We seemed to be stuck in the ether between “actual cold” and “comfy warm” for quite a while until the past week or so.
When finally the temperatures turned upwards into the 60’s and 70’s, I happily threw open all my windows in the house to “air the place out.” Apparently, though, the insect population of my neighborhood seemed to be waiting for this moment as well and took my open windows as an invitation to breach the many holes that have somehow sprung up in my screens over the years. On the bright side, I got a good bit of exercise chasing after flying critters with my fly swatter (oh, how I long for the days when environmentalists didn’t guilt us out of using that magical red can of bug spray).
As I went about my business swatting flying insects that had infiltrated my house, I noted a sort of irony in what I was doing. After many posts about fixing issues (i.e., holes) with application software to avoid bugs breaching a company’s infrastructure, I realized that I had failed to heed my own advice. So I did to my screens what any good software developer should do when he realizes there are holes in his software – I fixed them. I haven’t seen a flying critter in the last three days despite my windows all being open.
There’s a Hole in the Bucket
Fixing holes might seem like a logical first line of preventative measures to prevent an outside entity from breaching a company’s software portfolio with bugs…or viruses or other manner of malware. Why is it, then, that many who claim to be “in the know” immediately jump to measures that either help identify a breach but not prevent it, or take a shotgun rather than flyswatter the problem?
In a recent post over at Dark Reading, John Sawyer writes yet another column about what companies need to do to prevent data leaks in their organization. Most of his solutions are necessary, although predictable – encryption, locking down the network and employee education. All of these are necessary elements to any good security system, but as so many security discussions do they leave out one significant element – eliminate the point of infiltration.
Encryption is not infallible. As for locking down a network, it’s not only pretty drastic, but if the attack comes from within the organization, a locked down network is about as effective as the infamous Maginot Line that was supposed to have protected France from the Germans in World War II. (For those not into History like I am, the Germans just went around the thing).
Employee education is extremely important, though, and I do credit Sawyer for bringing it up. So much of what trouble’s an organization’s IT portfolio is introduced by its own employees, both knowingly and unknowingly. Nevertheless, if there were no issues with the application software to be breached, data would not be leaked.
So Fix It
Like so many issues with the IT portfolios of today’s companies, problems with application performance – including security breaches – can be traced back to the structural quality of the software. What needs to happen, therefore, is for companies to make themselves more aware of the issues that exist within their portfolios.
To ensure that they are protected at the very core of their IT portfolios, companies need to perform thorough assessments of the applications in them. This base protection platform should start with automated analysis and measurement when software is being either built or customized to ensure that at each stage of the build issues are caught and dealt with before they become problems. As studies have shown, with each successive stage of the build process, these issues become 10 times more difficult to mitigate than if caught in the previous stage.
However, just assessing applications during builds ignores the fact that structural quality standards are constantly increasing. What was sufficient for keeping data secure just a few years ago may no longer be good enough to keep it locked down. This is why companies also should perform periodic analysis of the entire portfolio to identify those applications that no longer measure up to the current standards for optimal structural quality.
So when companies are starting to consider all the things they need to do to secure their IT portfolios, they should think of their homes and remember, the fewer holes there are, the fewer bugs there will be.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.