Building Secure Software

Why the standard approach to security doesn't work

Gary McGraw


Computer security takes on more importance as commerce becomes e-commerce and business embraces the Net. However, little progress has been made in the security field, especially when vendor technology is considered. Popular press coverage of computer security orbits around basic technology issues such as what firewalls are, when to use the DES encryption algorithm, which anti-virus product is best, or how the latest email-based attack works. The problem is, many security practitioners don't know what the problem is. It's the software! Internet-enabled software applications, especially custom applications, present the most common security risk encountered today, and are the target of choice for real hackers. This talk is all about software security risk and how to manage it. The trick is to begin early, know your threats (including language-based flaws and pitfalls), design for security, and subject your design to thorough objective risk analyses and testing. This talk covers material that software practitioners, including architects and languages researchers, can use to avoid security problems and produce more secure Internet-based code.

Gates 4B (opposite 490), 4/10/01, 4:30 PM