Secure software development starts before coding begins

Source code and binary analysis tools both play a role in secure software development, but experts say careful planning, better education and a lot of hard work are even more important.

SAN FRANCISCO -- Secure software development should start before a developer writes a single line of code.

"Source code analysis begins at concept phase," said Intuit Inc. vice president and CISO Jerry Archer. "By the time we get to the architecture phase, we have a security model."

Archer, speaking Tuesday as part of the 2009 RSA Conference panel, "Software Security: Source Code vs. Binary Code Analysis," said his company uses both technologies in its software development lifecycle: Fortify Software Inc.'s source code analysis and Veracode Inc.'s application vulnerability analysis service for compiled code.

See all our coverage of RSA Conference 2009:

SearchSecurity.com and Information Security magazine editors are in San Francisco to bring you the biggest RSA Conference 2009 news stories, interviews, podcasts, videos and more.
The panel included Brian Chess, Fortify co-founder and chief scientist, Veracode co-founder and CTO Chris Wysopal and Oracle Corp. CSO Mary Ann Davidson.

Wysopal said binary code analysis enables testing of the actual programs that will run. He noted that companies don't always have source code because programs typically include calls for DLLs and existing libraries.

On the other hand, Wysopal said, "What's better in source analysis is that you can point to the exact line of the code that's causing issues."

Chess said the goal is often to find vulnerabilities in what you've got, and that's typically an executable requiring binary code analysis.

"But if you want to build a secure product," he said, "you've got to talk to programmers in the languages they speak. That's source code."

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
Secure code development requires a combination of automated tools. Archer said they find 40% to 70% of vulnerabilities in his company's programs. But the balance requires diligent human analysis because the results are often influenced by "convoluted business logic" -- in other words, bad design decisions that automated tools can't flag.

The panelists said that schools are a prime reason for the lack of secure coding. They said universities crank out programmers who know nothing of security.

"My supply chain is the universities," Davidson said. "We need them to code defensively. They should adopt the Marines' ethos -- every marine is a rifleman."

"The problem," one member of the audience asserted, "is that Johnny can't code. The books are crappy. We should challenge the schools and the professors."

Davidson said product managers and release managers should also be trained in secure coding.

The panel suggested that corporations should make it easy for people to write secure code, and hard to write it insecurely; today, the process is upside down. They also recommended embedding training, tools and review in the SDLC.

"Every developer is trained on Fortify and secure coding," said Archer. "They know how to code securely; there's no excuse for not doing it."

Dig deeper on Software Development Methodology

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close