My beef this week is software bugs. Specifically, security related software bugs. I am constantly amazed at how little attention some software companies give to security in their code. Recently, I witnessed one such company implementing their product for large customer. It rapidly became evident that this company had never put their code through any kind of security review. A security scan immediately showed the most basic sophomoric mistakes and flaws in their code. Now it would be one thing if this were shareware being given away on the Internet. But this was supposedly enterprise level software! So much for Homeland Security! You can have all the policies and firewalls in the world but go and put a shoddy insecure program running on your network and you can jeopardize the whole thing.
When are software companies going to start really giving a @#$ about security? I guess when the customer (and that means me and you and you) start demanding it. This means documented security evaluations by an objective third party, audits, SAS-70 reports and other assurances before the contract or purchase order is signed. Do your due diligence, people! Or you may be buying unexpected remediation costs, delays, and of course a security risk inside your network.
