On Thursday 19th May 2011 I will be speaking at The 2nd International Secure Systems Development Conference in London on the subject of smartphone security, entitled "I own your smart phone (and of course your private life and your business life)"

But why is code security so important?

The use of complex software is now part of daily business life. Unfortunately cyber criminals are taking advantage of this to spread malware and to attack systems with the aim of stealing information, money and intellectual property.

Information security specialists have been relatively successful in protecting networks and data systems from these cyber criminals but, to date, computer software has been an Achilles heel, open to attacks that take advantage of bugs and errors in computer code. Once a security bug is found it can be abused by cyber criminals whilst a business, in many cases, remains blissfully unaware that they are under attack.

Computer software must therefore be checked for security related bugs--a process that has historically been very manually intensive and expensive, with limited scalability and needing access to the underlying source code.

It's a software developer's job to write application code that satisfies customer requirements and meets business objectives. This code needs to be functional, usable, reliable and with acceptable performance and supportability. As the modern world relies on software to function, teams of developers must do their best to churn out millions of lines of code under huge pressure to satisfy customer demand. 

With looming deadlines and the need to do yet more work developers, in the past, had little time to ensure their code was free from bugs or errors that opened security holes in the application. Fortunately, as many applications ran within a client server network, relatively isolated from the outside world, this approach was normally successful.

Then along came the Internet, the World Wide Web and the subsequent massive growth in handheld devices that exposed what would be normally closed applications to millions of anonymous users. Combine this with the recent introduction of organised cyber criminals continuously looking for new ways of committing crime, and the computer security ground rules have been rewritten forever.

Against this background we have seen a huge move towards componentised code, and the reuse of code libraries and functions that had been developed in house, purchased or borrowed from other developers. As customers have looked to slim down their costs, the use of commercial and open sourced software grew. Outsourced software development has seen projects sent across the other side of the world to be written by developers they have never met in a country they may never have visited. So not only do developers need to worry about security defects in the code they write, but also in the code they reuse.

This perfect storm raises huge concerns in the minds of information security professionals who are trying to get a grip on the scale and diversity of software entering their organisations.
On the other hand we need to consider the developers. The sheer volume of potential security flaws and new and emerging threats can be overwhelming to a developer under pressure to roll out yet another new feature.

Software development managers and information security professionals need to act now to address the security of the software they write, purchase or co-opt into their solutions.

I recommend this event for both security professionals and developers alike.

Nigel Stanley
Practice Leader - Security
Bloor Research