Screaming Penguin - Source Does Matter

Much attention is paid to securing the systems and networks that all of our applications run on, but all too often the security of the application itself is overlooked.

Many developers are aware of security and what measures should be taken in their apps, but opt to "put it in at the end." As we all know, the deadline usually appears before there is any time to go back and update code that works to make it bulletproof. This is unfortunate, and of course not true always, but still very prevalent (ever used a Microsoft product, think all the exploits and issues were just unknown when they released it, or was it maybe a marketing deadline?)

At any rate the design of applications is paramount to overall security. No matter how secure you firewall is, no matter what amount of logging and tracking and routing and what have you is in place, if the application (including web applications) is expected and allowed, the security will obviously leave it alone. One of the all to common and simple exploits is to upload malicious code into an HTML form and submit it (CERT Advisory CA-2000-02.) If security is an upfront consideration and built into the application then the developers, users and the community at large are much better off.

developerWorks has a nice recent article on just this topic, security in software design. This is "Part 1" in a ten part series, and it focuses on the "weakest link." A "common" weak link is Social Engineering, or making the application and support user proof. Keep an eye out for the series on Software Security, and scope this installment via the link.   Software Security Principles: developerWorks