Today Information Security is a critical and fast growing area in Software engineering. Neglecting security is an issue that could lead to many damaging problems. Unfortunately security is still not being taken seriously by many software developers or being taught as a required course at most universities. As the technology grows more popular, the misusing of it is getting more and more serious. Security is not a thing you could buy and add to a system but an integrated part of the system that must be “Built in”. Even you could fix some security deficiencies after the system is being developed, it is already too late and it would cost you much more to fix than build in security during the architect, design and coding phases.
One of the ways of reducing security threats is to increase awareness of security risks. Anyone with common sense would take necessary measures if he or she knows the risks. However, with the popular of computer, many risks are not always visible. Your computer may have a password protection, but unless you have a very strong password and keep changing it frequently, hackers can still use “Brute force intrusion” technique to guess user names and password quickly and attack your computer. You may be careful with unknown emails but you may be subjected to “Phishing” as you open email from friends without knowing that hackers are using your friend’s names to lure you into open a virus infected email attachment or secretly open a “backdoors” in your computer that let them collect your personal data.
Knowing the risks is the best way of defense against hackers. Yet everyday, there are new threats, new virus, and new malicious software so you must keep up with these issues. Every company must have security procedures in place to be ready to deal with new ones. As soon as a security threat is detected, all computers must be in alert and to be secured with updates and patches in minimal time possible. When a new vulnerability is detected, a security task force will find a way to repair it with patches but these could be a security risk too. Patches could point out directly where the weaknesses are and hackers would not need to search for weaknesses but just exploit them because it takes a while until everyone has updated their computers. Unfortunately some may never update until it is too late.
For Software development, security must be “Built in” as part of the whole development life cycle. The key concept is that you identify the risk early and take care of them, leading to high quality in security for a low cost. You need to have security requirements that are clearly and correctly defined for the system. You must design and architect the system with security considerations. You must follow guidelines for secure coding and perform security tests accordingly. Many software developers consider security testing as non-functional tests. As many other non-functional tests, most of testing is performed at final stages of development before release to customers. The consequence is that many security bugs, which could be detected and fixed, go through earlier development stages without checking. The risk is it will be too late to find and fix a fundamental architectural error or design.
A good Software developer knows how to set up test environment with security in mind, as well as handle your test data for security purpose. There are security guidelines which must be followed and it is the project manager‘s responsibility to make sure that every developers follow them carefully. In the distributed software development, your team can be distributed anywhere in the world. If the test data contain private information such as personal data or bank accounts, you must make sure they are not sent unprotected on the internet. In spite of the fact that Internet is a contaminated environment where hackers are everywhere, many companies are still do not use data encryption and end up paying much more later. If you use Internet, you must make sure that the communication lines are secured; try to keep it as much as possible inside the corporate networks, use VPN, SSL-secured links or encryption.
Today Laptops are getting more and more common at work. They are used in the secure company network, then are used out of the job in some wireless network at a coffee shop, airport or home with much less security. The risk of contamination is overwhelming if your computer is not properly protected. An infected computer can comes back in the secure company network endangering the whole network. Today many hackers are using “sniffer” (a small program that captures and transmits information without being discovered) sneaked in unprotected computer, the whole network can be endangered, since it might take a while to be detected. This causes a security hole in the whole company network.
With high quality in security you can mitigate the risks of endangering your businesses. In order to do that, you need to learn security threats and how to fight them, prevent security bugs to be created or minimize their number by following security procedures and guidelines and testing security in all development stages. I also believe that security must be a requirements course in all universities.
- Blogs of Prof. John Vu, Carnegie Mellon University