Seven Software Security Myths by Gary McGraw, Ph. D

March 18, 2016

Seven Software Security Myths by Gary McGraw, Ph. D

On his RSA conference speech, Gary presented the seven myths that stop companies from going ahead and doing software security.  

“Myth Busting the Security Landscape and Development Cycle - Myths abound in the security landscape, from what a vendor or product does to how to build security into software in the first place. These sessions break through misconceptions and provide a map for understanding realities. “[Gary McGraw].

The seven myths are listed below.

Myth 1. “Perimeter Security works fine.” A belief that makes firms rely on existing security posture such as assuming traditional approaches to IT security like firewall implementation or fixing broken issues is enough for organizations security.  He said, in such a growth of distributed technology perimeter security cannot be a great solution.

Myth 2. “A tool will do it all.”  Tools such as penetration testing, dynamic and static analysis tools help in finding and fixing problems.  Relying on these tools and the mentality of finding and fixing issues are the dominating factors on current security world. Thinking this way, he said, cannot be a solution instead developers should learn how not to make the mistakes at the first place or they have to learn how to find and fix issues at the development stage.

Myth 3.” Penetration Testing is perfect.”  He suggests that penetration testing should be done before the shipment or deployment of the product. He pointed out that hiring penetration testers to find a problem in the real world has its own drawbacks for the following reasons 1. The pen testers might not report all the problems they find, 2. The reported problems might not be fixed 3. New problems can be introduced during the other fix. Pen testing is economically infeasible. Penetration testing is of course needed, but shouldn’t be the first thing to be considered as a solution.  

Myth 4. “Cryptography is magic.” In real-world besides Cryptography, we have to consider some other security features.

Myth 5. “Eradicate the Bug Parade.” Over-focusing on code related bug and ignoring design flow is usually a common problem in real-world.

Myth 6. “Developers should solve the problem.” In real-world, this is not cannot work. He said, most successful companies in security has “Security groups” helps the developers, the architects, the senior executives…

Myth 7. “Focus only on high-risk applications.”  Focusing only on high-risk staffs leaves the medium and low-level risks under water. We should pay enough attention to all level of risks. .

- See more at: http://www.rsaconference.com/videos/seven-software-security-myths#sthash.Xl1J3Qgf.dpuf