A well-known security consultant says Apple is struggling to effectively protect its users against malware and other online threats and suggests executives improve by adopting a secure development lifecycle to design its growing roster of products.
"Based on a variety of sources, we know that Apple does not have a formal security program, and as such fails to catch vulnerabilities that would otherwise be prevented before product releases," writes Rich Mogull, founder of security firm Securosis and a self-described owner of seven Macs. "To address this lack, Apple should integrate secure software development into all internal development efforts."
Microsoft was among the first companies to integrate an SDL into its internal development routine. Under the program, products are built from the ground up with security in mind, so that poorly written sections of older code are replaced with code that can better withstand attack. It also subjects programs to a variety of simulated attacks. Adobe Systems recently beefed up the SDL program for Reader and Acrobat following criticism about the security of those two programs.
Mogull's suggestion was one of five he made recently to ensure company is doing everything it should to safeguard its customers.
"It's clear that that Apple considers security important, but that the company also struggles to execute effectively when faced with security challenges," he writes in a recent article on Mac news website Tidbits. He goes on to fault the company for its ongoing failure to patch a gaping security hole in Mac versions of Java.
The suggestions came as Apple on Monday announced Safari 4.0, a release that fixes more than 50 vulnerabilities in the browser. Protection against clickjacking attacks, denial-of-service flaws and bugs that allow for remote code execution were among the fare.
Source
"Based on a variety of sources, we know that Apple does not have a formal security program, and as such fails to catch vulnerabilities that would otherwise be prevented before product releases," writes Rich Mogull, founder of security firm Securosis and a self-described owner of seven Macs. "To address this lack, Apple should integrate secure software development into all internal development efforts."
Microsoft was among the first companies to integrate an SDL into its internal development routine. Under the program, products are built from the ground up with security in mind, so that poorly written sections of older code are replaced with code that can better withstand attack. It also subjects programs to a variety of simulated attacks. Adobe Systems recently beefed up the SDL program for Reader and Acrobat following criticism about the security of those two programs.
Mogull's suggestion was one of five he made recently to ensure company is doing everything it should to safeguard its customers.
"It's clear that that Apple considers security important, but that the company also struggles to execute effectively when faced with security challenges," he writes in a recent article on Mac news website Tidbits. He goes on to fault the company for its ongoing failure to patch a gaping security hole in Mac versions of Java.
The suggestions came as Apple on Monday announced Safari 4.0, a release that fixes more than 50 vulnerabilities in the browser. Protection against clickjacking attacks, denial-of-service flaws and bugs that allow for remote code execution were among the fare.
Source
