Dr. Carol Woody of SEI was recently featured on a CISQ webinar about the correlation of software quality and software security. Her lessons on this topic highlight why software security cannot be something added after-the-fact, it must rather be factored into the development of software applications from the moment coding begins.
This is a lesson that companies such as Sony need to learn. While past breaches like the ones carried out by the LulzSec group in 2011, affected their customers and cost them dearly in terms of reputation and reparations, the one they suffered late last year hurt them much closer to home when cyber criminals breached Sony’s entire network and threatened to expose all stolen data.
The corporation, which had already settled lawsuits from its customers for exposing their information, now faces a class action lawsuit brought by its own employees who say their data was not protected from hackers. Since Sony could not have been so obtuse as not to have added security following its security breaches in 2011 and 2012, one can only assume that their security problems run far deeper than the security added on top of their network – like right down to the application quality.
Even the best security system will only tell a company when someone or something has breached its structure; security software won’t keep out the unauthorized. In order to locate the potential risks within software, IT departments need to be more vigilant and perform thorough structural analysis of applications. By performing intensive application analysis, a company can identify points of vulnerability within the structure of its application software during the build process and know where the holes are that need plugging before an application is deployed.
Sony needs to take a serious look at its internal software systems, and to do this, it needs to employ automated analysis and measurement.
To try and analyze all of its internal systems manually would not only be tedious, it would also be expensive and grossly inefficient. Automated code analysis would allow the company the ability to see each application much more efficiently and go beyond one developer’s view of things like input validation – which provides an easy entry for a hacker – or any business transaction that might fail on its own. Furthermore, it provides management the means to track, incentivize and ensure that security, stability and efficiency traps are not introduced either inadvertently or maliciously into its enterprise software. In other words, by gaining visibility to the potential threat, the company can eliminate it before it becomes a future security problem.
At a time in world economics when no company can afford to take on the added debt of making financial reparations to customers, never mind its own employees, Sony and other breach victims would do well to watch their back doors as much as they do their bottom lines.