LAS VEGAS – Enterprises have long struggled to build security into their software development processes, and even a panel of experts at Black Hat 2011 said there are no easy ways to address the complex problem.
I wish we did have a real big budget for the software development lifecycle, but the approach I’ve taken is leveraging the things we already have.
John D. Johnson, senior security manager, Deere & Co.’s John Deere
The panel of application security experts, which included Verizon’s Alex Hutton, co-author of the Verizon Data Breach Investigations Report, John D. Johnson of Deere & Co.’s John Deere unit, Brad Arkin of Adobe Systems Inc. and Jeremiah Grossman of WhiteHat Security Inc., agreed enterprises need more innovative ways to conduct security awareness training for software developers, motivate upper management of the importance of software security, and conduct thorough code-review processes to detect coding errors early in the development process.
“At a manufacturing company like ours, we’ve got longer development cycles, fewer angry customers and we are a little slower; probably like the Titanic turning at times,” said Johnson, senior security manager at John Deere. “I wish we did have a real big budget for the software development lifecycle, but the approach I’ve taken is leveraging the things we already have.”
The same coding errors – SQL injection and cross-site scripting (XSS) errors – continue to create problems and be the central point of entry for many cyberattacks. Arkin, who has overseen security improvements at Adobe for several years, said the company, whose software is a favorite target of attackers, was forced to bolster process and move quickly to instill security at all levels of the business.
But Arkin admitted the task of making improvements is daunting. One big lesson learned was to stop spending so much time and money on manual code reviews and instead make investments in other process improvements, he said.
“We have on order of a billion lines of code in all our products,” Arkin said. “There’s no chance we can go through all that by hand.”
All of the panelists praised static and dynamic code analysis tools to scan and analyze software for serious coding errors. Arkin said repeatable and dependable code testing is important in keeping up software developer morale. It lets developers and their companies measure the progress of improvements, he said. A process must be in place that prioritizes coding error remediation, so bugs will be assessed and addressed quickly before the end of the development process, Arkin added. Adobe also has a certification program among its development teams, turning software security education into a completion. Developers can take dozens of 24-minute tutorials to work their way up to a “black belt” certification. Arkin said the company has an 80-point security plan and fosters a culture of security largely based on the company's training program.
The panelists said getting support from upper management on software coding improvements is important. Grossman, CTO of WhiteHat, said information security budgets are misaligned, causing areas, such as software security, to be neglected at some firms. While the overall IT budget spends the least amount on networks and puts a lot of money towards developers, the information security budget spends the most on the network layer and the least on creating secure software development processes.
“We can sit here and try to have the best answers, but if there are no resources to move forward, we’ve still got real problems,” Grossman said.