Let the Coding BeginSecurely
Once the software moves into development, programmers often aren't equipped to ensure secure code without some helpeven with security practices implemented in the previous requirements and design phases. According to findings by the Secure Software Forum
, a joint initiative by the Information Systems Security Association and vendors including SPI Dynamics and Microsoft to advocate secure software practices, 65 percent of developers don't feel confident in their ability to write secure applications and 70 percent of security problems are in the application layer. As a result, many security tools vendors find awareness training and code auditing products to be compelling solutions for customers.
"If you can give developers some basic training on things they need to understand, particularly if you can apply it in the context of whatever applications that they're working on, you can get great return from that," explained Dale Gardner, Product Management Director for Secure Software, a vendor that offers awareness training along with its CodeAssure application security suite.
|According to findings by the Secure Software Forum, 65 percent of developers don't feel confident in their ability to write secure applications and 70 percent of security problems are in the application layer.|
However, even with training, developers can hope to be aware of only so much. According to Thornton, Fortify's research has identified 116 categories of vulnerabilities, and each category can have many more calls. He said, "A SQL injection is a category, but there are thousands of different calls that will wind you up there. There's just no way in the world a human being can do all that. Using tools to do all that can be very effective."
These tools relieve the developer from manually auditing code based on his or her vulnerability knowledge, but the cure can be worse than the disease if they aren't sophisticated enough to distinguish the serious threats from the trivial ones. Chasing down every possible vulnerability on a long result list, many of which turn out to be false positives, is not good use of a developer's time. Tools vendors have worked to improve accuracy. For example, Secure Software simulates the execution of the code to essentially establish a model of the application, with which its tools can verify their analyses. OunceLabs tools return ranked results with the known vulnerabilities at the top.
Secure SDLC in Practice
Microsoft, whose products are perhaps the most scrutinized for vulnerabilities, adopted the secure development lifecycle (SDL
) program internally as part of its Trustworthy Computing initiative. SDL is a process for developing software that defines security requirements and milestones (or gates) at every stage of the lifecycle and doesn't allow a software project to progress beyond a gate until it meets those requirements. Among its mandates is a threat model for every new project. Redmond reports a reduction of at least 60 percent in the reported security bulletins from its pre-SDL releases to its post-SDL releases of Windows Server, SQL Server, and Exchange Server. Bill Gates devoted much of his RSA keynote address "Microsoft's Security Vision and Strategy" to the principles of Trustworthy Computing and the SDL.
|Dale Gardner, Product Management Director, Secure Software|
According Howard and Steve Lipner, who co-created SDL, the program is an evolving process that updates twice a year, but keeps improvements lightweight. "To submit a change, you must show five security bulletins that would've been prevented by implementing the change," says Howard.
The principles of SDL are evident in other vendors' initiatives as well. With its Application Security Assurance Program (ASAP), SPI Dynamics actually has the stated goal of putting tailored SDLs into practice within all organizations. Secure Software developed CLASP (Comprehensive, Lightweight Application Security Process), which describes two dozen different activities that an organization can use to implement security into software development. "We've done it with an activity-oriented focus to make it easy to fit into different SDLC processes that people might have," said Gardner.
Of course, having such a strong advocate of security practices in an executive as senior as Bill Gates is a luxury that security evangelists in many other companies don't have. If you feel like your requests for improved security practices and the investment they require fall on deaf ears, gaining management buy-in and a sustained commitment is a tougher task.