Why Security and Outsourcing Are Key Trends in Testing and Performance (Continued)

Build Security Into the T&P Process
"Most security problems are related to some kind of bug," said Adam Kolawa, founder and CEO of Parasoft of Monrovia, California, a maker of error-prevention software for code. "Bugs allow for exploitation. Everybody is testing their apps out of the box, when they should be monitoring the quality of the code as it is generated. That's the best way we have at the moment to prevent security lapses."

However, enterprise and mid-size IT shops with different requirements, budgets, and overall philosophies can place completely different emphases on security. The bottom line is this: Virtually any software program can be reverse-engineered and/or hacked, if the intruder is educated and motivated enough.

"Hackers are like germs; they keep building up immunities against whatever antibiotics we throw at them," said Joe McKendrick, a Philadelphia-based enterprise software analyst for Evans Data Corp. in Santa Cruz, California. "They keep finding new ways to get in and cause havoc. It's a continuing major challenge to the industry to keep finding ways to circumvent intruders. I'm not sure anybody has the complete answer yet."

Maybe not, but it's generally true that the more foresight, testing, and performance a company does, the harder it will be for someone to compromise the software once it's out in the world. At least that's the logic.

Microsoft, of course, has long been the biggest target of hackers, and for a number of reasons. "They simply have the most systems in place," McKendrick said. "Most other companies enjoy so-called 'security by obscurity,' and don't have nearly the same issues that Microsoft and other huge companies have to deal with."

However, some new evidence has surfaced that shows Microsoft's security problems may need to be put into a larger context. An industry security study, "The Myth of the Monoculture," released Sept. 24 by the Computer and Communications Industry Association (CCIA), that warns of the dangers of "monoculture" in the IT industry, drew the following response (in part) from Jonathan Zuck, president of the Association for Competitive Technology:

The study's premise of an existing monoculture in computer security is inherently false. Of 660 million Windows users worldwide, less than one-tenth of one percent were impacted by the notorious MSBlast worm last month. Why? In reality, each Windows user has different configurations of hardware, routers, virus software, and security habits. The diversity that comes from the security stack of hardware, software, and user habits leads to an extremely heterogeneous security environment even on a single operating system like Windows. The evidence clearly shows that the monoculture feared by the authors exists only in theory and not in reality.

Undoubtedly, this is a developing story that will be drawing continuing attention in the future.