- Apr 6, 2016
- 440
Code development should have security built in from the start to avoid headaches further along the line, and tools and processes exist to make this possible.
Speaking at the Checkmarx “Shift Left” conference in central London, security researcher Troy Hunt said that it is hard to put numbers on security of code, and it is hard to look at code once it is written and determine if it is good or bad, but if it is bad, it “will cost so much to manage in future.”
Speaking on 'Software Security and Early Prevention of Vulnerable Code', Hunt said that it is educational to go through people’s software and at a late stage, you can “find entertaining vulnerabilities at this stage”.
He said: “It is insightful as often it is the expectation that no one does bad stuff to your software, and ‘no matter what, people screw it up for us’. If we think we use software used in the way it is designed and intended to be used, we are going to have a problem.”
Hunt created the character ‘Vlad’ who delivers the bad news about code flaws, and said that often bad news is delivered at the end of the process during testing, and often “security folks are sick of folks screwing it up.
“We have got to be better with the ‘standoffishness’ between developers and security people; we are all trying to achieve the same thing, and it is a bit of a problem,” he said.
“Businesses doesn’t understand the nuances of security and want the website to be live, but we know there are vulnerabilities and things may be exploited, so somewhere there has to be compromise, as we know there are risks and can fix them.”
Read more: Analysis tools exist so why does code have security flaws?
Speaking at the Checkmarx “Shift Left” conference in central London, security researcher Troy Hunt said that it is hard to put numbers on security of code, and it is hard to look at code once it is written and determine if it is good or bad, but if it is bad, it “will cost so much to manage in future.”
Speaking on 'Software Security and Early Prevention of Vulnerable Code', Hunt said that it is educational to go through people’s software and at a late stage, you can “find entertaining vulnerabilities at this stage”.
He said: “It is insightful as often it is the expectation that no one does bad stuff to your software, and ‘no matter what, people screw it up for us’. If we think we use software used in the way it is designed and intended to be used, we are going to have a problem.”
Hunt created the character ‘Vlad’ who delivers the bad news about code flaws, and said that often bad news is delivered at the end of the process during testing, and often “security folks are sick of folks screwing it up.
“We have got to be better with the ‘standoffishness’ between developers and security people; we are all trying to achieve the same thing, and it is a bit of a problem,” he said.
“Businesses doesn’t understand the nuances of security and want the website to be live, but we know there are vulnerabilities and things may be exploited, so somewhere there has to be compromise, as we know there are risks and can fix them.”
Read more: Analysis tools exist so why does code have security flaws?
