Ensuring security in software, Gary McGraw has long argued, means starting at the code level: That is, build security in from the start. McGraw, chief technology officer at Cigital Inc. and recognized as the industry's foremost software security expert, has said that enterprises too often focus on repairing damage post-breach and fixing bugs after launch. Instead, he argues, greater attention to security in the earliest stages of software development would greatly reduce the percentage of successful attacks, and minimize damage when malicious hackers do succeed.
For many organizations, this is a paradigm shift. Why is it worthwhile? Solving security vulnerabilities in production applications is expensive and difficult. That factor of difficulty is multiplied considerably by the fact that now there is software in everything (and the fact that those things are increasingly interconnected). That complexity might tempt you to assume the fight against malware attacks is hopeless. Not so, says McGraw; enterprises exacerbate the problem by considering security too late (i.e., at the testing stage, or post-launch). The key is to make security front and center when a new software development project is still a twinkle in a developer's eye.
This guide gathers McGraw's insights on how to develop software more securely and which tools and procedures you can use to eliminate vulnerabilities in your next development project. In the tips, interviews, podcasts and videos that follow, you'll get in-depth information on mobile software security, architecture risk analysis, the value of the Building Security in Maturity Model (BSIMM) and more.
A strong case for better coding
To ensure software security, we need to build secure software, and build it from the code on up: That's the message Gary McGraw consistently delivers in his writing on software development. Sounds logical, so why doesn't it happen? Why is it, as our expert asks, that so much energy goes into fixing damage and not enough into preventing it in the first place? Firewalls are all well and good -- and getting better all the time -- but maybe the focus should be on, as McGraw puts it, building "stuff that does not suck."
Or to put it a more delicately: Maybe it's time to remember that better security starts in the software, and the software starts in the coding.
Read on for the basics on the McGraw approach to secure software development.
How to assure computer security? Build it right in. Continue Reading
Marcus Ranum and McGraw cover software security issues in this one-on-one feature. Continue Reading
Implementing secure coding fundamentals
Bad software is as much a threat to security as actual malware. Learn why in this module, as we delve into the fundamentals of software security. You'll learn, for instance, the best practices of highly successful software security development and why a code review isn't enough to spot and prevent a software vulnerability.
This part of our guide includes key information on the BSIMM, a tool McGraw and others first developed in the 1990s that is now in its fifth iteration. The model, says McGraw, is an important guide to planning and carrying out any secure software development initiative.
Getting rid of bad software can also help eliminate malware, McGraw argues. Continue Reading
Hacking back isn't how you win the cyberwar. Instead, McGraw says, build software and systems with fewer vulnerabilities. Continue Reading
Which processes are commonly found in highly successful software security programs? McGraw explains what they are. Continue Reading
Software defects often aren't found through code review; here's why architectural risk analysis is a must. Continue Reading
The BSIMM tool, in its fifth version, acts as a measuring stick for software security initiatives. Continue Reading
Refining and improving best practices
This segment of the guide elaborates on the topic of best practices by turning attention to the human element of software security. Despite popular wisdom, McGraw insists that the facts show not only that humans can be trained, but also that security awareness training is a vital part of keeping software secure.
In this bring-your-own era, mobile security is another essential element to consider when you develop software, and McGraw covers the topic in depth here in a pair of articles. We close with a set of actionable guidelines on everything from software security groups to fixing bugs and flaws. No gospel would be complete without a set of commandments, and McGraw's got his ten. Avoid violating these and you can avoid the hell of a software security breach.
McGraw says it's time to focus on the facts, and they show that security awareness training is both needed and effective. Continue Reading
Software architecture risk analysis doesn't have to be hard. McGraw and fellow expert Jim DelGrosso explain an easy way to scale this essential software security practice. Continue Reading
There are five tech trends affecting software security, but there are also several BSIMM best practices to limit your risk. Continue Reading
There's no definitive test to give third-party software a clean bill of health, but McGraw explains ways to assess it in order to have more control over vendors. Continue Reading
McGraw fills in what the BSIMM project lacks: actionable guidance for software security. Continue Reading
McGraw on Film
If a picture is worth a thousand words, a video must be worth a million. These videos featuring McGraw both round out and supplement the material explored in other parts of this guide, covering everything from the evolution of the BSIMM to coding securely to mobile app issues.
In this video, McGraw explains why coding more securely could turn back potential Web 2.0 attacks.
The past and future of the BSIMM maturity framework for software security is McGraw's focus in this video. Watch and learn how vendors like Adobe and Microsoft measure up.
A key BSIMM study identified several processes you can use to help secure your software development environment.
What's the VBSIMM software security model, and how do you apply it to software purchased from third-party vendors? This video explains it all.
Learn about key mobile app security issues, and why McGraw thinks it's time to apply trustworthy computing concepts to mobile devices.
Increasingly organizations are employing those software development processes that improve code. Discover the tools and procedures McGraw says will help eliminate serious vulnerabilities.
How to develop software securely: A Gary McGraw podcast library
Talk about one-stop shopping! In a single link we provide an entire library of Gary McGraw's greatest Silver Bullet podcasts on how to develop software securely. In each, McGraw chats with a fellow security expert on a particular topic. Click below to hear the man whom many call the father of software security discuss Apple vulnerabilities, mobile security, how best to teach software development and more.
SearchSecurity.com is pleased to partner with Gary McGraw to feature his monthly Silver Bullet software security podcasts, which discuss best practices in software security. Continue Reading