Clayton Donley's Blog

I'm not sure how I missed Mary Ann Davidson's original blog posting on the subject of making fixing security by fixing how developers learn to write software (and much more), but I came across Dennis Howlett's response to it on ZDNet recently. Both postings are on the long side, but are must reads if you are involved in enterprise software as a creator or consumer.

By a coincidence I also received an email from a colleague about a short white paper from HP covering common Web 2.0 security flaws. It's more an overview than a guide, but provides a nice overview of issues, such as cross-site scripting, that may not be familiar to developers that lack knowledge of core security concepts. The white paper is available here (after a very detailed registration process), but to tie back to the articles above, nearly all of these flaws can be avoided with the right developer mindset, training, and processes.

Some problems will go away as we sediment complexity into lower layers, but the days of developers writing code with obviously poor security will only come to an end when we can fundamentally change the way security is written into applications in the first place.

Technorati Tags:
security

Ah. The Cuckoo's Egg. The first non-fiction computer security book I ever read. Even saw the author (Cliff Stoll) give a talk at a local college 10+ years ago.

I was reminded of this book by a great conversation at our Customer Advisory Board last week.

For those of you who haven't read it, the basic idea is that the author, a part time IT administrator, finds a 75 cent billing discrepancy between two audit systems. Rather than write this off as computer error and move on, he discovers that a user that is on sabbatical used the system and one of the system accounting records for that access was intentionally deleted. From there, the book reads like a spy novel as the author tracks the hackers "in the early days" before most people thought of this sort of thing.

Certainly while systems were compromised in the same way that systems are still compromised nearly 20 years later, basic security processes and practices have changed significantly. Identity Management certainly gives much more control over the management of inactive accounts, as well as better enforcement of good password policies that make it more difficult for password cracking tools to be so effective.

I would love to get email with your IT security war stories that illustrate security then-and-now. I have a few of my own that I'll be sharing as well.

Technorati Tags: security