Software code must change to beat hackers

Security firm Fortify has announced a new strategy which it claims will provide businesses a blueprint for minimising risks resulting from vulnerabilities in software and business assets.

The Business Software Assurance (BSA) is based on a premise that security must come from within businesses. It says that corporate mindsets must change, so that they can reduce risk and cope with compliance procedures.

"Businesses today are built and operated by software that houses intellectual property, business processes and trade secrets that are vital to the health of an enterprise," said Roger Thornton, Fortify chief technology officer and founder.

"Unfortunately most of this software is developed to be open and functional, or was developed pre-internet and therefore not secure. This creates a significant vulnerability at the company's core," said Thornton.

Fortify said that companies traditionally on 'perimeter-based' approaches like network security to prevent criminals from accessing business information.

However, the open nature of today's business processes weakened perimeter security protection like firewalls and left applications vulnerable and open to hackers.

Current application security tools such as penetration testing provided some protection, but only on the indicators of insecure software rather than insecure code.

"The biggest single step for businesses to reduce risk today is to force major improvements in poorly designed and insecure software and applications," said Gartner senior analyst John Pescatore.

"By focusing on strengthening applications at the basic code level, business can greatly increase the protection of critical customer and business data while actually reducing how much they have to spend on shielding and patching vulnerable production applications."

The BSA strategy was announced alongside the worldwide release of a product which focused on software vulnerabilities and application security for businesses.

Fortify 360 is a suite of integrated solutions which the company claims will identify, prioritise and fix security vulnerabilities as well as manage the business of application security.

"It's not just about the technology, but also about bridging the gap between those in the enterprise responsible for development and security," said Thornton.

"Security is a low priority in software development compared to functionality, quality and performance, and most business managers are often unaware of the inherent business and security risks of deploying dangerously exposed software," he added.