Information
is power. Software manages the information and access to the
information. Today's software environment is a multilayered
and multi-component based. Building a secure software starts
with designing a secure software. In this session we will discuss
the best practices (and worst practices) in developing secure
software through out the software development lifecycle.
A
panel of software industry experts will share their experiences
and lessons learnt. This promises to be a great event. Some
of the themes you will hear include:
Seeing
the big picture -
Peer review is part of the security process; your attackers
are becoming very skilled at finding exploitable software bugs
using automated tools to help them. Everyone needs to see the
big picture
Rule
of Simplicity -
Design for simplicity; add complexity only where you must. Default
to Deny, compartmentalization of code is good for more than
security.
Sweat
the small stuff -
Just because certain attack vectors are obscure does not negate
their effectiveness; writing good clean code is safer and more
sane than allowing a program to "protect" bad coding
practices at execution time.
Don't
use your customers as your Q/A staff -
The Microsoft Software Release cycle is destroying security
from the users and programmers perspective; it causes users
to not want to upgrade, and it causes programmers to not want
to fix security problems.
Don't
build a $100,000 fence for a $1,000 horse -
All data is not created equal, don't treat it as such. Let the
protection be commensurate with the asset.
Know
your tools. Choose them wisely -
Low level languages are not the problem; they are the most widely
understood. Security is a process not a language.
Audit
trails -
Trust with accountability. Every significant access, whether
denied or permitted must maintain an audit trail.
Panelists:
