Security Management Strategies for the CIOEnterprises and small and midsize businesses need to train developers in basic security fundamentals, address legacy code, and create a foundation for the entire software development program, but
Requires Free Membership to View
getting started on application
security isn’t easy, acknowledges Chris Wysopal, co-founder and CTO of Veracode Inc. In a
three-part interview with SearchSecurity.com, Wysopal explains why application
security training for developers is essential and how organizations can get beyond injecting
security into only high-risk applications. Addressing legacy
software is still a challenge, Wysopal said, but organizations can take smaller steps and make
a big impact with a minimal investment.
Editor’s Note: This is the first installment of a three-part Q&A series exploring application security program fundamentals, threats and solutions. In part two, application security expert Chris Wysopal of Veracode Inc. discusses application attacks and vulnerabilities.
What are the essential ingredients in creating a security-aware software development
environment?
Chris Wysopal: Some basic training fundamentals are important to do at least some introduction to
application security and application security principles. By default, I don’t think developers
think bugs and defects in their code that are security-related are really meaningful. Just an
understanding that there are attackers out there; these are the vulnerabilities they’re after; this
is the kind of data that they’re after, and this is how they do it is really important. It doesn’t
have to be a big deal. It can be a one hour e-learning class that a developer can take at their
leisure. That’s critical to set a basic foundation for why we’re fixing these bugs now.
What are the typical application security gaps at an organization?
Wysopal: I think one of the big ones is that application security is thought of as something
special you do for your most high-risk application and that’s it. A company might have hundreds of
high-risk applications and they think of application security for five of them. A couple of
development teams may think of application security, and everyone else ignores the problem. As
people move around, it just becomes a special thing that only a few people have to do.
Application security is really something every developer needs to know something about. Every
project needs to have some level of application security. The biggest gap I see is really a breadth
gap.
For someone looking for ways to improve software development, how difficult is it to address
legacy software in an organization?
Wysopal: That is a major challenge. When you talk to a lot of people that are trying to build an
application security program; some of the people trying to make rugged software, they’re trying to
figure out ways to make developers think about application security. Almost all the work that gets
done ignores the legacy problem. It’s like the elephant in the room. No one wants to deal with it.
It’s so much easier to write secure code on new code then to go back and retrofit old code. The
development team is gone, there are no resources and it’s just built with older languages, frankly
in a fairly ugly way. To me that’s the big elephant in the room for application security. We just
can’t ignore all the applications that have been built prior to today. Some of these applications
will last another decade, so they need to be secured at some point. That’s a real challenge.
There are many application security frameworks and models available. Are there any that
you recommend organizations look at for guidance?
Wysopal: I think something like [Building Security in Maturity Model] BSIMM
is a good approach for mature companies or large companies that can make a big investment. The
challenge is for the people who haven’t done application security yet. Those people need to start
off with something pretty lightweight. I don’t think there are a lot of approaches out there right
now that start lightweight as opposed to starting full-on. Some of the things we’re working on are
ways to make it easy for organizations to start with application security without having to hire a
big application security team and not have to make big investments to see their first results. It’s
something where you can see the first results within days of getting started. I think that’s the
direction we need to go in for all of the people who haven’t made heavy investments.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation