Microsoft says it will equip its Visual Studio .Net with a plug-in from security software vendor Sanctum designed to catch common security vulnerabilities at development time. This new feature is intended to let programmers check their code more often for security flaws, helping them release code free of common exploits.
|
The fact that this news is lauded as a great move is indicative of many companies' failure to adequately enforce security and coding policies. It also points to their shoddy code-review processes and the incompetency of some of their programmers. Buffer overflows generally occur when a developer copies one string into another and the length of the former is longer than the length of the latter. The fact that no one checks the length of the string being copied is astounding. The notion that QA processes don't catch such errors is just confounding.
Although documenting test cases and performing unit tests on code is not the most exciting part of development, such tedious tasks are necessary to ensure that the underlying code does not contain defects--especially defects that could cause security breaches.
Introducing an automated method of scanning for vulnerabilities during development is the correct course of action, but if companies are unwilling or unable to create and enforce the necessary coding and QA practices that would ensure compliance, how can they enforce the use of such a tool?
Besides, an automated tool cannot replace due diligence. It can only assist in a company's efforts to reduce its product's security vulnerabilities. Those efforts should include a closer examination of code and better training for developers--and perhaps tougher punishment than a slap on the wrist for developers who continue to introduce exploits.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
