Advertisement
Promo

Security threats Toolkit

Gartner: Developers must be responsible for security

Nick Gibson Builder AU

Published: 30 Nov 2007 12:43 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

…popular desktop security environments do. So these are new products that are emerging now. The desktop is not as secure as we'd like it to be, and there's still tons of room for improvement on the desktop and laptop side of the equation.

Then there's new application environments, like Web 2.0 environments. There was a great presentation by David Backley [chief technology officer at Australian bank Westpac] about how they're using Facebook-type social-networking environments within Westpac to promote collaboration and teamwork, and they're looking at virtual worlds, like Second Life, as well. These sorts of new applications that rely on large distributed network deployment introduce all sorts of new aggregations of security risks.

I say "aggregations"; to break down these application types — virtual worlds, social networks, blogs, whatever it is — if you look at the components that make these up, they're no different from any other application. They may use a language that's a bit newer — Ajax or new forms of HTML — but they're still languages and they still have the same issues: validation and making sure the code has not been altered — the same basic thing.

The issue in the new Web 2.0 world that we're all dealing with is that those components cannot exist by themselves. It's not that you can get a copy of a word processor in one nice tidy piece on its own; Web 2.0 applications are often made up of dozens of these individual components. Those components may come from different companies or may be home-grown, developed internally. Ensuring the security of each one of those components is critical if you're going to ensure the security of the network.

In the end, we just have to watch our applications like a hawk

Andrew Walls, Gartner

With the increased complexity of these collections, or mashups, the challenge to secure them goes up logarithmically. Every time we add more systems together, the [number of] potential interactions, and the potential corruptions among them, expands, and we have to secure each of them. The only way we can secure the whole mass is to secure each component by monitoring, managing data transfer, firewalling, and, in the end, we just have to watch our applications like a hawk. Now these are all standard approaches. Nothing about this is new. We're doing all of these already. The issue is that it's getting more and more complex — we have to do it more aggressively; we have to do it faster; we have to do it at a much more granular level within the application than we have in the past.

As a result, we're seeing vendors with products and services coming out which focus on different levels within applications — to do code reviews, application vulnerability scanning, testing, continuous scanning and testing of application suites. This is all self-defence — how can we automate these tasks to be as responsive as we can be to continue to secure our organisation? It's all about: how can we manage burgeoning complexity in the application environment? The processes are the same as they've always been, but we need to do it faster, and we need to do a lot more of it.

Nobody is going to give you more budget to do it, of course, so you've got to do it with what you've got. You've got to develop your staff, and your tools and your relationships with vendors — you've got to be a much more adept and sophisticated manager to manage security these days.

To what extent is security management going to be playing catch up with the malicious side of the security industry?
You can close the gap to a certain extent, but you're always going to be lagging slightly behind. This is the same situation that law enforcement faces: certain national governments notwithstanding, you generally can't arrest someone before they've done something wrong.

It's very difficult to defend against a truly novel attack. We know how to defend against attacks that are in classes of attacks that we know. A virus? Well, we know how to defend against viruses; we understand essentially how they work. We understand buffer overflows, so…

Next

Previous

1 2 3


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
3 out of 3 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:







Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Official Organizations Losing Data

How does this article from earlier today make you feel? How many more government, health service, or military officials are going to lose pen drives, DVDs, USB hard disks and even entire... More

1 comment

Twitter hack was DNS redirect

Twitter has said an attack on Thursday which took the site offline for many users was the result of a DNS redirect. A group calling itself the Iranian Cyber Army redirected users... More

1 comment

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Win a BlackBerry with Vlingo voice recognition

Win a BlackBerry with Vlingo voice recognition

What is ZDNet UK's usual tagline?

Competition closes - 14 Jan 2010


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters