Companies Continue to Invest in Firewalls, IDSs, and Anti-Virus Software Yet Continue to Suffer From Damaging Security Breaches.
By Jon Oltsik
BURLINGTON, Mass. – May 16, 2005 – Information security issues have created a corporate paradox. Companies continue to invest in firewalls, IDSs, and anti-virus software yet they continue to suffer from damaging security breaches. Furthermore, as more and more users access the network from partner sites and remote devices, this situation will likely further decline.
Why is this bad situation getting worse? One reason is that firms continue to purchase tactical security “band-aids” when more radical surgery is needed. This situation is most evident when it comes to software development. Most hacking attacks are targeted at software deficiencies but few companies do security testing of their source code. This negligence is ultimately quite costly as it is estimated that it cost between 30 and 100 times more to fix a production software security problem than it does to address problems in the development process.
In a recent interview with SC Magazine, former cyber-security Czar Richard Clarke made this very point: “If company systems were supported by “decent code in the first place, hackers couldn’t get in,” says Clarke.”Why don’t we go after the cause while we’re dealing with the symptoms? We need to have the best experts in the private sector; the universities and the government get together and create a set of best practices and standards for code writing.”
Enter Klocwork, a spinout of Nortel Networks in Ottawa Canada. Klocwork software examines the source code itself looking for security violations in both design and implementation. While other security vendors provide this functionality, Klocwork looks for security problems in the context of overall software quality. For example, competitive offerings may find a few security violations which may seem insignificant. Klocwork puts these security violations in context by looking at the overall design and run-time behavior of an application. This understanding can demonstrate that a few security glitches can lead to extensive software vulnerabilities and substantial risk.
Klocwork is a true enterprise product in that it can be distributed amongst a distributed development team to help with individual developer quality as well as improve the overall project.
ESG Take: There is little doubt that applications are vulnerable today and sophisticated hacking techniques increase the threat of a major breach on a daily basis. ESG believes that companies should examine the root cause of the problem, namely software development processes that eschew security. Klocwork provides tools for the entire development lifecycle that not only address security but can help improve software quality as well. Once integrated into the software development process, Klocwork will help improve excellence and pay for itself in short order.
Klocwork® offers a portfolio of development productivity tools designed to ensure the security, reliability and maintainability of complex code bases. Using proven static analysis technology, Klocwork’s tools identify critical security vulnerabilities and reliability defects, optimize peer code review, and help developers create more maintainable code. Klocwork’s tools are an integral part of the development process for over 1000 customers in the consumer electronics, mobile devices, medical technologies, telecom, military and aerospace sectors.
Klocwork and the Klocwork logo are registered trademarks of Klocwork, Incorporated in the United States and other countries. All other names are trademarks or registered trademarks of their respective companies.