Security As Add-On Feature Doesn't Work
It's hard enough to design and implement software that minimizes vulnerabilities when security is a key priority, it's practically impossible to do it as an afterthought. Take the example from a study from California on voting machine security. The San Francisco Chronicle quoted Secretary of State Debra Bowen who said researchers:
were able to bypass physical and software security in every machine they tested
And why was that? A number of reasons from sure but the most telling comment came from Matt Bishop, a UC, Davis computer science professor and security expert, who said:
The vendors appeared to have designed systems that were not high assurance (of security) ... The security seems like it was added on.
Trying to secure software after it is designed is like trying to add structural integrity to a building after it's constructed. It can't be done. Secure coding practices aren't a module that can be added on along with other new features. At best you can isolate vulnerabilities to keep them from being exploited.
One thing we should keep in mind when we develop and deploy applications is that multi-vector attacks take advantage of multiple weaknesses. An application vulnerability in itself does not need to be so bad that it alone can compromise a system, it just needs to be one piece of the puzzle put together by an attacker.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
