Enterprises and small and midsize businesses need to train developers in basic security fundamentals, address legacy code, and create a foundation for the entire software development program, but getting started on application security isn’t easy, acknowledges Chris Wysopal, co-founder and CTO of Veracode Inc. In a three-part interview with SearchSecurity.com, Wysopal explains why application security training for developers is essential and how organizations can get beyond injecting security into only high-risk applications. Addressing legacy software is still a challenge, Wysopal said, but organizations can take smaller steps and make a big impact with a minimal investment.
Editor’s Note: This is the first installment of a three-part Q&A series exploring application security program fundamentals, threats and solutions. In part two, application security expert Chris Wysopal of Veracode Inc. discusses application attacks and vulnerabilities.
What are the essential ingredients in creating a security-aware software development environment?
Chris Wysopal: Some basic training fundamentals are important to do at least some introduction to application security and application security principles. By default, I don’t think developers think bugs and defects in their code that are security-related are really meaningful. Just an understanding that there are attackers out there; these are the vulnerabilities they’re after; this is the kind of data that they’re after, and this is how they do it is really important. It doesn’t have to be a big deal. It can be a one hour e-learning class that a developer can take at their leisure. That’s critical to set a basic foundation for why we’re fixing these bugs now.
What are the typical application security gaps at an organization?
Wysopal: I think one of the big ones is that application security is thought of as something special you do for your most high-risk application and that’s it. A company might have hundreds of high-risk applications and they think of application security for five of them. A couple of development teams may think of application security, and everyone else ignores the problem. As people move around, it just becomes a special thing that only a few people have to do. Application security is really something every developer needs to know something about. Every project needs to have some level of application security. The biggest gap I see is really a breadth gap.
For someone looking for ways to improve software development, how difficult is it to address legacy software in an organization?
Wysopal: That is a major challenge. When you talk to a lot of people that are trying to build an application security program; some of the people trying to make rugged software, they’re trying to figure out ways to make developers think about application security. Almost all the work that gets done ignores the legacy problem. It’s like the elephant in the room. No one wants to deal with it. It’s so much easier to write secure code on new code then to go back and retrofit old code. The development team is gone, there are no resources and it’s just built with older languages, frankly in a fairly ugly way. To me that’s the big elephant in the room for application security. We just can’t ignore all the applications that have been built prior to today. Some of these applications will last another decade, so they need to be secured at some point. That’s a real challenge.
There are many application security frameworks and models available. Are there any that you recommend organizations look at for guidance?
Wysopal: I think something like [Building Security in Maturity Model] BSIMM is a good approach for mature companies or large companies that can make a big investment. The challenge is for the people who haven’t done application security yet. Those people need to start off with something pretty lightweight. I don’t think there are a lot of approaches out there right now that start lightweight as opposed to starting full-on. Some of the things we’re working on are ways to make it easy for organizations to start with application security without having to hire a big application security team and not have to make big investments to see their first results. It’s something where you can see the first results within days of getting started. I think that’s the direction we need to go in for all of the people who haven’t made heavy investments.