Vendors shift focus to defense lines

09.03.2006
A survey of participants to the 2005 Secure Software Forum -- an industry forum promoting software quality assurance -- observes that, while companies recognize the need for secure software and have begun developing secure coding policies, 70 percent still have not integrated security assurance program into their development process.

Most large software vendors have implemented programs for secure code development, says Howard Schmidt, CEO, R&H Security Consulting in Issaquah, Wash.

For instance, Oracle Corp., criticized in the past for security vulnerabilities in some of its software, recently deployed Fortify Software's source code analysis tools to test its code base of 30 million lines. Fortify's tools use a set of rules that can flag vulnerabilities in more than 60 categories, including SQL injection, buffer overflow and format string errors.

Fortify says its source code analysis tool has a high 'signal-to-noise' ratio when analyzing large, complex commercial applications and lets users set thresholds to 'tune' the analysis to desired sensitivity level. It helps users prioritize vulnerabilities according to importance without losing track of less important flaws that can be addressed later, writes IDC Corp.'s Melissa Webster in a research document entitled, Managing Software Security Risk.

High profile software companies are also placing less importance on meeting delivery deadlines and more on writing secure applications, says Schmidt. He adds that most of the software companies writing secure code don't get due credit for the effort.

Microsoft's long-awaited Windows Vista, the company's next-generation operating system due to be released later this year, may be a case in point. Vista's initial expected release was to be in 2003, but the unveiling has continually been pushed back.