SAN FRANCISCO -- Secure software development should start before a developer writes a single line of code.
"Source code analysis begins at concept phase," said Intuit Inc. vice president and CISO Jerry Archer. "By the time we get to the architecture phase, we have a security model."
Archer, speaking Tuesday as part of the 2009 RSA Conference panel, "Software Security: Source Code vs. Binary Code Analysis," said his company uses both technologies in its software development lifecycle: Fortify Software Inc.'s source code analysis and Veracode Inc.'s application vulnerability analysis service for compiled code.
Wysopal said binary code analysis enables testing of the actual programs that will run. He noted that companies don't always have source code because programs typically include calls for DLLs and existing libraries.
On the other hand, Wysopal said, "What's better in source analysis is that you can point to the exact line of the code that's causing issues."
Chess said the goal is often to find vulnerabilities in what you've got, and that's typically an executable requiring binary code analysis.
"But if you want to build a secure product," he said, "you've got to talk to programmers in the languages they speak. That's source code."
The panelists said that schools are a prime reason for the lack of secure coding. They said universities crank out programmers who know nothing of security.
"My supply chain is the universities," Davidson said. "We need them to code defensively. They should adopt the Marines' ethos -- every marine is a rifleman."
"The problem," one member of the audience asserted, "is that Johnny can't code. The books are crappy. We should challenge the schools and the professors."
Davidson said product managers and release managers should also be trained in secure coding.
The panel suggested that corporations should make it easy for people to write secure code, and hard to write it insecurely; today, the process is upside down. They also recommended embedding training, tools and review in the SDLC.
"Every developer is trained on Fortify and secure coding," said Archer. "They know how to code securely; there's no excuse for not doing it."