Article

Secure software development starts before coding begins

Neil Roiter, Senior Technology Editor, Information Security magazine

SAN FRANCISCO -- Secure software development should start before a developer writes a single line of code.

"Source code analysis begins at concept phase," said Intuit Inc. vice president and CISO Jerry Archer. "By the time we get to the architecture phase, we have a security model."

Archer, speaking Tuesday as part of the 2009 RSA Conference panel, "Software Security: Source Code vs. Binary Code Analysis," said his company uses both technologies in its software development lifecycle: Fortify Software Inc.'s source code analysis and Veracode Inc.'s application vulnerability analysis service for compiled code.

    Requires Free Membership to View

See all our coverage of RSA Conference 2009:

SearchSecurity.com and Information Security magazine editors are in San Francisco to bring you the biggest RSA Conference 2009 news stories, interviews, podcasts, videos and more.
The panel included Brian Chess, Fortify co-founder and chief scientist, Veracode co-founder and CTO Chris Wysopal and Oracle Corp. CSO Mary Ann Davidson.

Wysopal said binary code analysis enables testing of the actual programs that will run. He noted that companies don't always have source code because programs typically include calls for DLLs and existing libraries.

On the other hand, Wysopal said, "What's better in source analysis is that you can point to the exact line of the code that's causing issues."

Chess said the goal is often to find vulnerabilities in what you've got, and that's typically an executable requiring binary code analysis.

"But if you want to build a secure product," he said, "you've got to talk to programmers in the languages they speak. That's source code."

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
Secure code development requires a combination of automated tools. Archer said they find 40% to 70% of vulnerabilities in his company's programs. But the balance requires diligent human analysis because the results are often influenced by "convoluted business logic" -- in other words, bad design decisions that automated tools can't flag.

The panelists said that schools are a prime reason for the lack of secure coding. They said universities crank out programmers who know nothing of security.

"My supply chain is the universities," Davidson said. "We need them to code defensively. They should adopt the Marines' ethos -- every marine is a rifleman."

"The problem," one member of the audience asserted, "is that Johnny can't code. The books are crappy. We should challenge the schools and the professors."

Davidson said product managers and release managers should also be trained in secure coding.

The panel suggested that corporations should make it easy for people to write secure code, and hard to write it insecurely; today, the process is upside down. They also recommended embedding training, tools and review in the SDLC.

"Every developer is trained on Fortify and secure coding," said Archer. "They know how to code securely; there's no excuse for not doing it."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: