Developing an application security mind-set

By Kristin Cipolletti, Assistant Editor, SearchSecurity.com 05 Feb 2007 | SearchSecurity.com and Information Security magazine

Digg This!     StumbleUpon     Del.icio.us

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

But that is a small minority of vendors, and experts say application security won't improve much unless more ISVs start integrating security into their coding practices. And many industry observers believe that won't happen until developers and the organizations they work for learn how to think about security.

"It is necessary to develop a security mind-set. This means understanding the threats and risks, and keeping these in mind during all phases of software development and deployment," said Robert C. Seacord, senior vulnerability analyst with the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University.

The problem starts at the college level, experts say, because most aspiring software engineers and developers get little or no security education in school.

"Many of the introductory books on coding fail to discuss security, and as a result, many of the same vulnerabilities that were problematic for developers several years ago remain a problem today," said Michael Cobb, founder and managing director of Cobweb Applications.

Compounding the problem is the fact that the top priorities for most software projects are functionality and shipping the product on time. Developers aren't asked to think about security because consumers haven't asked for it. Security is often an afterthought, and many organizations still don't have a good handle on how to integrate security into the project requirements.

"Every application vulnerability is the result of some error during the development of the application," said Jeff Williams, chairman of the Open Web Application Security Project (OWASP). "The most common issues in the development process include the failure to define clear and detailed security requirements."

It's clear that developers unfamiliar with secure coding practices can't change their ways overnight, particularly given that application security is a relatively new concept. But there are some best practices that can be employed to improve the security of Web applications.

For one, organizations can start providing hands-on security training in an attempt to correct educational flaws. Chris Wysopal, CTO of Veracode, said showing developers how vulnerabilities appear in the code they write will help developers become more grounded, and understand that an application free of bugs isn't necessarily a secure application.

From there, developers should start adhering to common secure coding practices when writing and developing code, including validating all user input, avoiding the use of hidden form fields, keeping up-to-date on the latest security attacks, and practicing defense-in-depth.

Still, producing secure applications shouldn't be the sole responsibility of developers.

"To successfully develop secure systems, it is necessary that security is a focus of the entire development organization," said CERT's Seacord. "Software project managers need to ensure that secure software development processes are in place and that the developers understand and follow these processes. QA can assist in the process by testing for common vulnerabilities in addition to ensuring the overall quality of an application. CIOs need to emphasize the importance of producing secure code and ensure adequate organizational support."

While some say that even with these practices the industry is fighting an uphill battle, many experts are confident that the state of software security is improving. As evidence they point to the existence of communities, publications and vendor products once unavailable to the field.

But, improvements aside, the one thing that many say will push community thoughts and practices in a new direction is consumer demand. It may be only a matter of time until consumers explicitly ask for security like they ask for functionality.

As OWASP's Williams pointed out, "People are starting to rely on applications that will do things that will change their lives, and as we trust the software to do more and more things we will tend to see security increase."

<< Return to our special coverage of RSA Conference 2007

Tags: Software Development Methodology,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Web Application Security Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary