Computer security problems
Today, computer security is the fastest growing area in software industry. With more hackers, cyber attack, cyber crimes, computer viruses, industrial espionage, identity theft, and fraud, security is becoming more important than ever. As Information Technology (IT) systems grow larger and more complex, they require more sophisticated security systems.
Contradict to many beliefs, security is NOT a product you could buy and add to a system. It should be an integrated part of the system when it is built. Of course, you could fix security deficiencies after the system is built but it would cost you more and nobody could guarantee that all deficiencies are fixed. The security of an IT system depends on the design of the system so it is best to build security in when you design the system. The question is how many students are taught about security in the design course? How many school have security course in their curriculum? Even in programming course, how many students are taught that coding is the fundamental for security? A lack of security knowledge can create many security deficiencies in code. For example the most common mistake is stack overflow where hackers can take advantage to seize control of the system. Today with more computer users all over the world, how many are taught to follow certain necessary caution? Even when you have strong password, good firewall, install security software but most hackers know how to by-pass them. You can defense your system to some degrees but new threats come in all the time so you must keep up with all current developments. You need to use preventative means for known risks and be ready to deal with new ones. As soon as a new security threat is detected, it needs to be secured immediately. That is what software security updates and patches do. As soon as some vulnerability is reported or detected, a company task force will find a way to repair it. Although these patches are necessary, they could be a security risk themselves too. Patches could point out directly where the weaknesses are and hackers would then exploit them. It always takes a while until everyone has updated the software and many may never do it unless it is too late.
When it comes to design a secured IT system, security must be taken in consideration with the whole software development life cycle. The key concept is that you identify security risks early in the system under development and fix them so you can have high quality security. As developers, you need to see that security requirements are clearly defined for the system during the requirements phase. During requirements review, you must check to see if the system is adequately defined with security in mind. Many customers only know how to require certain functions but do not know about security so it is important for the technical leader to come up with new security requirements for the system. During design phase you must make sure that security is part of the design and during implementation phase, you must follow guidelines for secure coding and perform all the tests accordingly. Because security testing has usually been considered as non-functional tests. As with most non-functional tests, these testing are performed at the last part of development after everything else. The consequence is that many security defects which could be detected and fixed early, go easily through development stages until the last part of development. The risk is at that time, most developers and testers are exhausted and time is running out, so many skip these tests. Many users did not check carefully on security issue when they receive the software product. As long as the software do what they need and run well, then they are happy with it. That is why today, most software are vulnerable for hackers to attack.
With outsourcing, software development is divided to many teams, team members can be split anywhere in the world. If the test data contain private information, proprietary data then manager must make sure that they are not sent unprotected from one place to another. However, many managers and developers are not trained in security and do not know how to distinguish them. The Internet can be easily contaminated so if you use Internet as a part of your test environment, you must make sure that all communication lines are secured; try to keep it as much as possible inside the corporate networks, use VPN, SSL-secured links or encryption depending on the situation.
Today, many people use Laptops. They are used in the secure company network, then are used outside in some wireless network at a internet coffee shop, airport or home with much less security. The risk of contamination is overwhelming if your computer is not properly protected. A contaminated computer can comes back in the secure network then endangering the whole network. A small program that captures and transmits information without being discovered can sneaked in this computer, the whole network can be endangered, since it might take a while to be detected. This causes a security hole in the entire company network.
It is important for all developers to learn about security risks and how to fight them. It is important to follow a security procedures and rigorous testing in all software throughout the development phases. Only by awareness, we can prevent damages caused by hackers.
- Blogs of Prof. John Vu, Carnegie Mellon University