LA JOLLA, Calif. -- CLASP doesn't break new ground. But if the 300-plus-page document is widely embraced, hackers...
won't as easily breach networks either.
That's at least the goal for CTO John Viega, whose company, Secure Software Inc. of McLean, Va., today released what it calls the industry's first comprehensive process incorporating security into the application development life cycle. And it's free.
Short for Comprehensive, Lightweight Application Security Process, CLASP is designed for adoption by development teams wanting to build code more resistant to exploit. It's a goal that Viega, author of Building Secure Software, says is
CLASP was unveiled in time for today's opening of the first Secure Software Summit in La Jolla, Calif., in which Viega is scheduled to speak on the document's best practices. The conference also includes keynotes from two veterans of the security conference circuit, Oracle CISO Mary Ann Davidson and former national cybersecurity czar Amit Yoran. In addition, a highlight will be tomorrow's talk by Florida Institute of Technology professor James A. Whittaker on the latest threats.
CLASP is Viega's baby, with input from colleagues at IBM and other companies. The document consists of three main components:
- some 24 activities mapped to every role you'd expect in a development organization, from project manager to internal tester. They help an enterprise determine who owns a task and who should contribute to it, as well as the task's scope, potential impact and cost. It also includes audit activities that some organizations may outsource;
- a knowledge base that addresses common problems that lead to software vulnerabilities, based on input from those in the trenches;
- supporting artifacts like guidelines for code review or system assessments, including templates and punch lists.
Jeremy Epstein, who runs a research and development group for a Fairfax, Va., software maker, believes CLASP will generate interest, especially in an increasingly regulatory environment. "Like everything, it's going to take some time for people to recognize what it is. A lot of it is best practices, not new research."
Both CLASP and this week's summit are signs enterprises are putting more security emphasis, and perhaps resources, earlier in the software lifecycle -- something security professionals have longed begged for. Epstein believes new laws like Sarbanes-Oxley and HIPAA, with their heavy emphasis on data privacy and integrity, will force consumers and software creators to pay closer attention to product security. "I think we're finally going to get people building software securely because they have to, they no longer have a choice," he said. "We're much too far away to know how to attribute blame to any individual developer. That's no way at this point to do that sort of thing. It's going to have to be at the management level."
"But," he added, "a lot of pressure from executive management will be placed on lower levels who are forced to take on more responsibilities."
Viega said CLASP remains a dynamic document, subject to updates and changes based on feedback from those who review and implement its suggestions. "This is essentially a methodology to help you build secure software from the ground up, so you don't have to work as hard through the rest of the development life cycle," he said.
"This is a first cut," Viega noted. "It's comprehensive, but I think there's quite a long way for it to go still."