Managing software security risks

Author

McGraw, Gary

Author_Institution

Cigital, Dulles, VA, USA

Volume

35

Issue

4

fYear

2002

fDate

4/1/2002 12:00:00 AM

Firstpage

99

Lastpage

101

Abstract

Most organizations manage computer security risk reactively by investing in technologies designed to protect against known system vulnerabilities and monitor intrusions as they occur. However, firewalls, cryptography, and antivirus protection address the symptoms, not the root cause, of most security problems. Buying and maintaining a firewall, for example, is ineffective if external users can access remotely exploitable Internet-enabled applications through it. Because hackers attack software, improving computer security depends on proactively managing risks associated with software and software development. The current "penetrate and patch" approach of fixing broken software only after it has been compromised is insufficient to control the problem

Keywords

risk management; security of data; software development management; antivirus protection; broken software; computer security; computer security risk; cryptography; firewalls; hackers; intrusion monitoring; penetrate and patch approach; remotely exploitable Internet-enabled applications; security problems; software development management; software security risk management; system vulnerabilities; Application software; Computer hacking; Computer security; Computerized monitoring; Cryptography; Internet; Protection; Remote monitoring; Risk management; Technology management;

fLanguage

English

Journal_Title

Computer

Publisher

ieee

ISSN

0018-9162

Type

jour

DOI

10.1109/MC.2002.993782

Filename

993782