Developing an application security mind-set

Baking security into applications can be a difficult process, but experts believe developing an application security mind-set can help create more secure software systems.

As software applications have grown ever larger and more complex in recent years, it has become increasingly difficult to secure those applications after deployment. This has led some software makers to train their developers in secure coding practices in order to make applications more secure from the start.

RSA Conference 2007

Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.
But that is a small minority of vendors, and experts say application security won't improve much unless more ISVs start integrating security into their coding practices. And many industry observers believe that won't happen until developers and the organizations they work for learn how to think about security.

"It is necessary to develop a security mind-set. This means understanding the threats and risks, and keeping these in mind during all phases of software development and deployment," said Robert C. Seacord, senior vulnerability analyst with the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University.

The problem starts at the college level, experts say, because most aspiring software engineers and developers get little or no security education in school.

"Many of the introductory books on coding fail to discuss security, and as a result, many of the same vulnerabilities that were problematic for developers several years ago remain a problem today," said Michael Cobb, founder and managing director of Cobweb Applications.

Compounding the problem is the fact that the top priorities for most software projects are functionality and shipping the product on time. Developers aren't asked to think about security because consumers haven't asked for it. Security is often an afterthought, and many organizations still don't have a good handle on how to integrate security into the project requirements.

"Every application vulnerability is the result of some error during the development of the application," said Jeff Williams, chairman of the Open Web Application Security Project (OWASP). "The most common issues in the development process include the failure to define clear and detailed security requirements."

It's clear that developers unfamiliar with secure coding practices can't change their ways overnight, particularly given that application security is a relatively new concept. But there are some best practices that can be employed to improve the security of Web applications.

For one, organizations can start providing hands-on security training in an attempt to correct educational flaws. Chris Wysopal, CTO of Veracode, said showing developers how vulnerabilities appear in the code they write will help developers become more grounded, and understand that an application free of bugs isn't necessarily a secure application.

From there, developers should start adhering to common secure coding practices when writing and developing code, including validating all user input, avoiding the use of hidden form fields, keeping up-to-date on the latest security attacks, and practicing defense-in-depth.

Still, producing secure applications shouldn't be the sole responsibility of developers.

"To successfully develop secure systems, it is necessary that security is a focus of the entire development organization," said CERT's Seacord. "Software project managers need to ensure that secure software development processes are in place and that the developers understand and follow these processes. QA can assist in the process by testing for common vulnerabilities in addition to ensuring the overall quality of an application. CIOs need to emphasize the importance of producing secure code and ensure adequate organizational support."

While some say that even with these practices the industry is fighting an uphill battle, many experts are confident that the state of software security is improving. As evidence they point to the existence of communities, publications and vendor products once unavailable to the field.

But, improvements aside, the one thing that many say will push community thoughts and practices in a new direction is consumer demand. It may be only a matter of time until consumers explicitly ask for security like they ask for functionality.

As OWASP's Williams pointed out, "People are starting to rely on applications that will do things that will change their lives, and as we trust the software to do more and more things we will tend to see security increase."

<< Return to our special coverage of RSA Conference 2007

Dig deeper on Software Development Methodology

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close