CEO must prioritize software development improvements, secure coding

If the CEO makes a commitment to building more software development improvements and shows that commitment in the budget, the entire software development process could gain more positive changes, Berg said. In this interview, Berg outlines the threat landscape, explains how companies can make incremental changes to their software development processes and which models organizations can turn to for guidance.

We hear so much about the need for companies to focus on secure software development. Why should software security be a priority?
Ryan Berg: About 12 years ago, I worked at a company called BBN and at the time one of the things we introduced at BBN was the first managed firewall services. So back 12 years ago, one of the greatest threats to an organization was access to the network. That's what everyone was concerned about. Firewalls came around and you needed an advanced degree just to configure a firewall. But one of the biggest requests that came in to our network operation center was: "Can you open this port for me?" As more and more application services came onto the network, they tried to open the firewall more and more to make them work. At the time the applications and Web applications were pretty bad. The threat landscape at the time was Web defacement. Then the Web started to evolve and about five years ago we saw more and more dynamic content pushed onto the Web and more actual business functions happening. The firewall still provides a baseline of security, but you allow port 80 and you allow a freeway of activity into your network. What used to be a closed off sense of what was internal and what was external is now evaporated. It appears that most organizations, once they're doing business on the Internet, allowing traffic in and out of their network on port 80, they've essentially allowed an open door for access into your infrastructure.

The link for this article located at Search Security is no longer available.