Ounce in the News

Security in software needs careful scrutiny

October 25, 2007 Government Security News

Summary
A new threat has arisen for national security: software with security vulnerabilities. In spite of its ubiquitous access to data and natural underlying complexity, there is no established requirement for the certification of software security before systems are deployed and entrusted with confidential data. We tend to ignore the issue because of our heavy reliance on software and the daunting scope of a thorough software risk analysis and overhaul. But the risks grow daily, since current software arrives with a built-in capacity of corruption in its source code. Personal information of military personnel, as well as data from critical databases and applications has been revealed due to the lack of a consistent process to address the software security issue. How the issue is approached necessitates an understanding of how the systems, access control or the application is written, which boils down the problem to the source code again. The exploding trends in service-oriented architectures, web-enabling technologies and inter-organizational information sharing mandates security in all software -- new and old. The first security advancement that must be made is in the area of requirements. It is essential to understand and analyze source code for vulnerabilities in order to make security advancement in the area of requirements.

In this editorial feature, Jack Danahy, Founder and CTO of Ounce Labs, the industry leader in source code analysis, shares his insights on software security in national security and commercial sectors.

Read full article at Government Security News.

Find out more about software risk analysis.