Content Results; does this approach work? Critical Success Factors Other Important Aspects of a Holistic Software Security Program GE’s Software Security Program Overview Summary Acknowledgements

Preface

Running a Software Security Program for a large enterprise is largely a thankless task. Building security into products (rather than painting or bolting it on at the end) is not a core competency, and the concepts of securely developing software are not taught broadly enough (yet) in academia. These problems are amplified at a company the size of GE by the large numbers of developers who are globally dispersed and developing software in just about every technology under the sun.

GE is a global infrastructure, finance and media company taking on the world’s toughest challenges. With products and services ranging from aircraft engines, power generation, water processing and security technology to medical imaging, business and consumer financing, media content and industrial products, GE serves customers in more than 100 countries and employs more than 320,000 people worldwide.

Information Security professionals are often viewed as coming “late to the game” with a myriad of reasons why an application is not going to be approved to “go live” and many different examples of weaknesses that will consume time and money to repair and lead to scheduler delays. The business often asks “where were you when I started down this development path, and why have you waited until now to get involved?” We’ll talk in a moment about some of the ways in which you can change this mindset in your business.

One must accept that Software Security is really an unfair mission as when viewed from the perspective of those seeking to protect applications, systems and data from unauthorized use and disclosure. The objective is completely one-sided; the protectors must find all the application vulnerabilities (which is essentially impossible) while the adversaries or attackers only need to find one.

Software Security has become an area of greater focus in the corporate world due to a few trends that may have seemed independent but are now clearly related:

1. Financially valuable information and data that is web reachable is growing exponentially;
2. Individuals graduating from high schools and colleges today have high proficiency, skills and knowledge of computers;
3. The notion of what is considered to be “stealing” has been grayed by the prolific (but still illegal) sharing of media, such as MP3’s and “burned” movies;
4. On-line sites and communities exist where a user can easily (and anonymously) sell data for profit (including credit cards, identities, other Personally Identifiable Information (PII), corporate intellectual property, etc.);
5. There are now very specific, prescriptive and restrictive laws and penalties that have been levied regarding the actions and reporting that must be followed when a company loses certain types of data in certain global locations.

Currently, one of the main reasons for lost data is “hacking” or unauthorized access to or manipulation of applications, software or systems. Verizon’s 2009 Data Breach Investigations Report1 shows that 285 million records were compromised in 2008 and 64% of those breaches resulted from hacking. This demonstrates the importance of Software Security, because protecting enterprise data from compromise has become a high priority business objective, to ensure that companies don’t receive negative press, lose brand equity or reputation, lose customer loyalty or violate the many laws which are intended to
ensure data protection especially around personal data.

Inadequate software security can and does lead to a myriad of problems:

• Reputational damage.
• Loss of intellectual property.
• Financial penalties.
• Financial losses.
• Productivity losses.
• Revenue generation capability loss or reduction.

At the end of the day, the goal is to protect the Confidentiality, Integrity, and Availability of data.

To continue reading, please fill out the form on the upper right-hand side of the page.