This is what makes me so excited about Codenomicon joining forces with Coverity as part of the new Synopsys Software Integrity Group. Both Coverity and Codenomicon were founded around the same time, and have both worked tirelessly to perfect our respective security testing technologies. We both have fought for the betterment of software, and as an extension, the resilience of our interconnected world.
Now, the combination of the Codenomicon industry-leading suite of black box security testing technologies with the Coverity award-winning source code analysis solutions results in an unprecedented suite of solutions that can be leveraged to meet the software security needs of both buyers and builders. Buyers of software can use our combined solution suite to assess and mitigate the risk associated with procuring or using a piece of software. Builders of software can use same suite of tools to locate and remedy software bugs and vulnerabilities.
In order to better understand how to deploy our combined product suite, I’d like to propose a concept of total vulnerability management.
The Internet is a hostile and unpredictable environment. Both reactive and proactive approaches are needed to build secure products and to safely operate them. On the reactive side of the total vulnerability management paradigm, products or organizations should adhere to established security best practices such as running anti-malware software, deploying firewalls, enforcing appropriate security policies and controls, managing their known vulnerability exposure, and subscribing to threat intelligence feeds, to mention a few. These are all needed to appropriately respond to and react to constantly changing threat landscape.
Alas, I assert that many of the reactive methods mentioned here are needed because we need to protect ourselves from poorly implemented, designed or configured software riddled with known and unknown vulnerabilities. Broadly speaking, known vulnerabilities in their various forms are errors that are generally known to the public and for which patches or remedies exist. Managing known vulnerabilities and the vicious patch-and-penetrate cycle results in significant total software lifecycle costs for both buyers and builders of software. Instead of treating the symptoms of poor software development, we could more effectively reduce the cost and risk of operating software by addressing the root cause. For implementation or programming bugs, this occurs during the development process, so that the bugs, which would become vulnerabilities in a live environment, never get released into the wild.