Newspost Serie Software Security

Software Security: Reasons for More Security

2. November 2021

In practice, it is not an easy task for manufacturers to continuously integrate a strong security mindset into complex software projects. In our blog series, Stephan Neumann, Head of usd HeroLab, and Torsten Schlotmann, Head of PCI Security Services, talk about practicable approaches and ways to still effectively improve software security.


In Part 1 today, we talk about external and internal drivers that are placing the topic of software security in the focus of manufacturers.

Newspost Serie Software Security Zitat Torsten Schlotmann

Torsten Schlotmann: "There are many reasons for secure software, but I would first like to focus on regulation as a driver. We conduct our audits according to standards in which secure software development plays an important role. In general, software development is an essential component in all relevant security standards. Regulatory requirements by the legislator, compliance requirements for example from the credit card industry, ISO standards or customer requirements must be considered and implemented in software development. While all of this should not be the primary and most important driver, it may be the first for many companies. However, due to the constant changes and increasing complexity of the standards, it is no longer enough to deal with security or its implementation exclusively in the implementation phase. Security needs to be embedded and integrated into all phases of the development process and included as 'business as usual' in everyday life."

Newspost Serie Software Security Zitat Stephan Neumann

Stephan Neumann: "A further driver for secure software is the cost factor. Applications are a lucrative target for an attacker because of the density of sensitive data. Should an attacker successfully exploit a vulnerability, a lot of follow-up tasks arise, which unfortunately also involve time and costs. The circumstances must be clarified and major damage prevented, customers informed and new certificates and passwords assigned. Once this is done, the next step is to fix the vulnerability. Maybe new systems have to be set up, the infrastructure is also involved. Perhaps it also makes sense to perform a test afterwards to see whether the vulnerability has finally been fixed. This selection of examples is intended to show that there is an insane amount of work to be done - work that could perhaps have been avoided. I can therefore recommend not only to look at the external drivers that my colleague Torsten has described, but to integrate security also on your own request. By doing so, you create the opportunity to identify vulnerabilities in time or prevent them from occurring in the first place by using trained developers."

Also interesting:

PHOENIX group establishes Europe-wide ISMS with support from usd AG

PHOENIX group establishes Europe-wide ISMS with support from usd AG

Particularly in high-growth industries with increasing internationalisation, such as the pharmaceutical industry, corporations today face the challenge of setting up their information security governance in such a way that it meets the associated risks and challenges....

Security Scan and Pentest: What are the Differences?  

Security Scan and Pentest: What are the Differences?  

A proactive protection against hacker attacks is essential, especially for systems and applications that are accessible from the Internet. A penetration test, or pentest for short, and security scan are frequently requested IT security analyses in this context,...

Security Advisories for Jellyfin

Security Advisories for Jellyfin

The usd HeroLab analysts examined the multimedia application Jellyfin while conducting their security analyses. Two cross-site scripting vulnerabilities were identified that allowed a simple user account to take over higher-privileged accounts, such as an...

Categories

Categories