About Me

My photo
I have a new job! I am now working for MicroHealth as the Chief Governance & Compliance Officer. I start in December, 2011. I am a dentist and have been in the Air Force for the past 26 years and now am retiring out of a great job...the Chief Medical Information Office at the DHIMS program office where we build and maintain the military electronic health record. I am also back in school at the GWU Masters program in Information Systems Technology...great experience. In my spare time, I love to get creative and work with polymer clay and paint.

Thursday, September 29, 2011

Code Security...How to find and fix vulnerabilities


During our studies at eMSIST, we have read and discussed security risks and vulnerabilities, but it never dawned on me that the vulnerabilities may be within the code itself.  I had the opportunity to learn about the HP Fortify code analyzer the other day while speaking to an HP analyst https://www.fortify.com/products/hpfssc/index.html.

The Military Health System analyzed over 5 million lines of code in their electronic health record using both static and dynamic code tools this past year and discovered thousands of vulnerabilities.  Two good things came out of this.  First, we integrated code analysis into all new software development projects to identify and fix problems immediately.  This reduced costs dramatically because we fixed problems early.  Secondly, we used the analysis findings to prioritize code defect fixes that bubbled up from trouble tickets to prioritize which defect to fix first.

OWASP or Open Web Application Security Project encourages the use of a code analyzer during software development as a powerful tool that gives the developer immediate feedback with recommendations how to re-write the code. https://www.owasp.org/index.php/Source_Code_Analysis_Tools  Although code analyzers are excellent tools, they cannot detect all vulnerabilities and have particular difficulty in the area of authentication, access control and encryption.  Because the only look for problems in the code, they cannot identify configuration or infrastructure issues.

On September 12, 2011 Information Week reported that HP Expands Security Offerings http://www.informationweek.com/news/security/app-security/231601254 providing dynamic analysis for web applications in the cloud.

1 comment: