August 28, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« IBM One Step Closer to Offering End-to-End Security | Main | Microsoft Issues Six Patches (Four Critical) »

June 08, 2007
Companies Need A New Security Mindset

A recent article at Dark Reading explores how enterprises really need a new way of and thinking about both the constant level of threats and how to defend against them. The central point is that companies need to realize that security is a daily (just daily, I’d even say hourly) concern.

The issue was part of a recent vulnerability panel discussion moderated by Gartner, and made the point that vulnerability research is critical to staying one-step ahead of the threats. This is right on topic with my last blog about IBM purchasing Watchfire.

As Chris Wysopal, CTO of Veracode, said, "If you leave crumbs on the floor, the ants are going to show up." And once ants ruin one or twoof your picnics, folks might be reluctant to come to another picnic (just trying to stick with the metaphor while introducing brand damage).

It’s still true that most don’t see the purpose of quality security investments until an attack has already occurred. But the panel all agreed that security is increasingly entering the IT investment picture. Also, applications are starting to be extensively tested before they're being introduced.

But doing your own security testing is by no means cheap. Gartner estimates that for every hundred employees a company has at least one custom application. Security testing gets expensive for every one.

The rule of thumb is companies should allocate 5 percent of their development budget to testing. Other estimates go as high as 25 percent (which includes quality assurance). David Maynor, CTO of Errata Security, said "At the end of the day, what are you developing your applications for? If you're in [financial] trading, it could potentially mean millions of dollars if you are down for a couple of minutes," he said. "It's easier to allocate resources on the front end."

Still, that’s not guaranteed to catch all the bugs and vulnerabilities. Said Maynor, "You're never going to make a 100 percent secure app, but there are things you can do to minimize [vulnerabilities]."

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/1988

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
ebizQ Web 2.0 and the Enterprise
Your E-mail Address:
The Future of Application Servers in the Enterprise & IBM WebSphere Application Server V7
Date: Sep 10, 2008
Time: 12:00 PM ET
(16:00 GMT)
REGISTER TODAY!
How to Get a BPM Initiative off the Ground
Date: Sep 16, 2008
Time: 12:00 PM ET
(16:00 GMT)
REGISTER TODAY!
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map

Live Chat