Dr. Dobb's Digest July 2009
When it comes to computer security, it's a question of "when," not "if": When will you unknowingly download a Trojan horse, when will your web site be defaced, when will your credit card treat someone else to dinner, and when will your company lose intellectual property and critical data about your core business and clients?
How big is the problem? While exact figures are hard to come by, estimates are staggering. In a recent survey commissioned by security firm McAfee, more than 800 CIOs around the world estimated that they lost a combined $4.6 billion worth of intellectual property last year, while spending approximately $600 million repairing damage from one data breach or another. Based on these numbers, McAfee projects that companies worldwide lost more than $1 trillion in 2008 alone. Of this, 42% of the respondents said laid-off employees are the biggest threat, followed by outside data thieves at 39%. Then there's the 2005 FBI report that pegs internal security attacks at costing U.S. businesses $400 billion per year.
While it's unlikely you can totally prevent intrusions, you can mitigate their impact. One way is to build or "bake" security into software, starting in the design phase instead of retrofitting it at the end. As it turns out, that's the goal of Build Security In (buildsecurityin.us-cert.gov), a collaborative program between the Department of Homeland Security and the Software Engineering Institute to provide software developers and architects with practices, tools, guidelines, rules, and principles for building security into software throughout the lifecycle. Build Security In sees software security fundamentally as an engineering problem that must be addressed in a systematic way throughout the software development lifecycle.
The good news is that this heightened awareness of security is forcing companies to become more attuned to how their software is being designed, developed, and tested.