Tuesday, January 13, 2009

Top 3 Root Causes to Poor Application Security

The Coates Top 3 Root Causes to Poor Application Security
  • Lack of Management Support
  • Lack of Security Specific Training for Developers
  • Absence of Standardized Security Libraries
After you address the Coates Top 3, then you can start to tackle the OWASP Top 10 or SANS Top 25

-Michael Coates


  1. We don't need security libraries. We need libraries and frameworks that abstract security issues and make software safe by default. We will continue to fail for as long as we expect developers to be security experts.

  2. Personally, I would prefer to keep it as modular as possible, so I have to agree with Michael on that one. We need "Standardized Security Libraries" which we can integrate in either frameworks or, directly in our code. To tie security related code to a specific framework, would actually complicate the what need to be K.I.S.S.

  3. I don't think we'll be able to completely remove the responsibility of security from the developers. I agree that, when possible, lets abstract away security and make it safe by default. However, there are still a lot of security issues which must be addressed by the developer.

    Instead of making the developer create a security solution from scratch, which would require them to be security experts as Ivan pointed out, provide developers with security libraries which have been designed by the security experts. If the developers are aware of the fundamental security concerns, and have security libraries available which are easy to use, then we have a good chance of developing much more secure code.


Note: Only a member of this blog may post a comment.