Web Development

General discussion


Development Security Forum

By MaryWeilage Editor ·
Development Security Forum
Welcome to the Development Security Forum. This is the place to post your security questions, share your best techniques, and express your opinion on topics that impact IT development.

We also encourage you to post your comments about the Development Security Spotlight TechMail.

If you haven't subscribed to the Development Security Spotlight TechMail, there is no better time to take advantage of our free e-newsletter. Visit our e-newsletter subscription centerto subscribe to this valuable TechMail today:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Development Security Spotlight TechMail

by Mark W. Kaelin Editor In reply to Development Security Foru ...

Secure software is stable software:

The Feb. 18, Development Security Spotlight TechMail discusses the creation of secure software with stable designs. When you develop your applications do you consider that a user may intentionally try to cause your software to fail? Do you consider this a priority with regard to secure development?

Collapse -

If only they'd listen

by cdragonne In reply to Development Security Spot ...

I am the head of QA at my company and I crack down on the developers about the security of their applications. I am always told they'll "fix it later" or "its not our job". Wrong! When customer data is at stake, its everyone's job. I proved my point once by purposely breaking into an app and posting a note on the front page saying "Listen to your QA person." Needless to say, this is an extreme example, but it did get them to listen.

Collapse -


by Tech Locksmith In reply to Development Security Spot ...

I certainly hope no one thought I was taking a dig at developers - unless you have actually worked (or tried to work) around the edges of cutting edge cryptography you have no concept of how complex it can be. I know just enough about cryptography as the saying goes, "to be dangerous." My only defense is that I realize this and therefore avoid any serious work in the field.

Just as a simple reminder, the most useful of today's "new" crypto tools, public key cryptography, involves trap door functions which required some pretty innovative mathematical theory to realize.

You can find a basic explanation of trap door functions and RSA at:

The PollardP-1 Factorization Method is described at:

This shows that you have to be careful even when using trap doors.

Collapse -

Development Security TechMail Question

by Mark W. Kaelin Editor In reply to Development Security Foru ...

Fewer application features means more secure development:

The Feb. 25 Development Security Spotlight TechMail discusses reducing feature bloat to increase security. How do you resist creeping complexity in your application development? What application features have you refused to implement for specific security reasons? Tell us about it.

Collapse -

code size multiplies errors

by Tech Locksmith In reply to Development Security Tech ...

I guess I should point out one more factor that should help constrain the number of features. Although I mentioned that doubling the number of lines of code made the testing process much more complex, I hadn't bothered pointing out the most obvious threat from bloated applications.

Everyone makes coding errors; the only program I ever wrote that worked perfectly the first time only had six lines of code. After that I started making mistakes.

Various studies produce different specific numbers but I don't think anyone would claim that their projects contain zero errors in, say 10,000 lines of code.

Obviously then, if you double the number of lines of code you certainly double the number of coding errors even if you develop in modules or find some way around the testing becomming much more difficult.

John McCormick

Collapse -

Stopping Manager Feature Creep

by cdragonne In reply to Development Security Tech ...

While personally I agree with security being important in any application being built, and that the more complex an application, the more likely there will be security issues....how do you stop feature creep from a manager perspective? What I mean is while the app works and is secure, how to do convince the manager of the project to stop "feature creep" so that the app will stay secure. They just dont get it. Its always, "Well, we really need feature x, y ,z for the CEO's stepsister's cousin...Do it." How do you fight a losing battle?

Collapse -

stopping manager

by Tech Locksmith In reply to Stopping Manager Feature ...

That's always the problem and the real challenge in any security program.

One way is to keep a file of major security threats exploited in applications and especially any which involved loss of customer data because that can lead to massive legalproblems.

Another is to send them a copy of this column along with the estimated costs to companies of those system penetrations.

In the end, of course, you may only be playing CYA in the event of legal action but at least you should be able to avoid the brunt of the backlash when you are ignored and something does happen.

Probably the best thing you can do is remember the arguments against feature bloat - weakened security, increased development costs, and increased support costs - and include those in any proposals or budgets for future projects.

You can't glue security on at the end.

Good luck cdragonne, you've certainly put your finger on the real problem!

Collapse -

Meeting the Requirements of the HIPPA

by Mark W. Kaelin Editor In reply to Development Security Foru ...

Health-related businesses under the HIPAA gun:

The March 4, Development Security Spotlight TechMail discusses The Health Insurance Portability and Accountability Act (HIPAA) Security Rule. How will the HIPAA Security Rule impact your business? Are you prepared to meet the requirements of this extensive Federal law?

Collapse -

Enforcing the HIPAA

by cdragonne In reply to Meeting the Requirements ...

DO you know just how they are going to go about enforcing the HIPAA? I used to work for a major hospital in my area and they were lucky to know how to run a floor sweeper. This same hospital just went under a security audit and FAILED miserably. The only reason I know is an associate of mine was on the audit team. How can you get hospital management to release issues and then train their employees to follow them?

Collapse -

Keep dev teams lean and mean

by Mark W. Kaelin Editor In reply to Development Security Foru ...

Achieve software security with modular development:

The March 11, Development Security Spotlight TechMail discusses the benefits of modular development with regard to security. Are your applications developed in a modular fashion? Does modular development equal secure development in your enterprise?

This discussion question was derived from a Development Security Spotlight TechMail. Would you like to receive an e-newsletter that discusses a topic such as this on a weekly basis? Get a subscription to the free Development Security TechMail by browsing to this URL:


Related Discussions

Related Forums