Secure software development starts before coding begins

By Neil Roiter, Senior Technology Editor, Information Security magazine 21 Apr 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SAN FRANCISCO -- Secure software development should start before a developer writes a single line of code.

"Source code analysis begins at concept phase," said Intuit Inc. vice president and CISO Jerry Archer. "By the time we get to the architecture phase, we have a security model."

Archer, speaking Tuesday as part of the 2009 RSA Conference panel, "Software Security: Source Code vs. Binary Code Analysis," said his company uses both technologies in its software development lifecycle: Fortify Software Inc.'s source code analysis and Veracode Inc.'s application vulnerability analysis service for compiled code.

See all our coverage of RSA Conference 2009: SearchSecurity.com and Information Security magazine editors are in San Francisco to bring you the biggest RSA Conference 2009 news stories, interviews, podcasts, videos and more.

The panel included Brian Chess, Fortify co-founder and chief scientist, Veracode co-founder and CTO Chris Wysopal and Oracle Corp. CSO Mary Ann Davidson.

Wysopal said binary code analysis enables testing of the actual programs that will run. He noted that companies don't always have source code because programs typically include calls for DLLs and existing libraries.

On the other hand, Wysopal said, "What's better in source analysis is that you can point to the exact line of the code that's causing issues."

Chess said the goal is often to find vulnerabilities in what you've got, and that's typically an executable requiring binary code analysis.

"But if you want to build a secure product," he said, "you've got to talk to programmers in the languages they speak. That's source code."

Don't miss need-to-know info! Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!

Secure code development requires a combination of automated tools. Archer said they find 40% to 70% of vulnerabilities in his company's programs. But the balance requires diligent human analysis because the results are often influenced by "convoluted business logic" -- in other words, bad design decisions that automated tools can't flag.

The panelists said that schools are a prime reason for the lack of secure coding. They said universities crank out programmers who know nothing of security.

"My supply chain is the universities," Davidson said. "We need them to code defensively. They should adopt the Marines' ethos -- every marine is a rifleman."

"The problem," one member of the audience asserted, "is that Johnny can't code. The books are crappy. We should challenge the schools and the professors."

Davidson said product managers and release managers should also be trained in secure coding.

The panel suggested that corporations should make it easy for people to write secure code, and hard to write it insecurely; today, the process is upside down. They also recommended embedding training, tools and review in the SDLC.

"Every developer is trained on Fortify and secure coding," said Archer. "They know how to code securely; there's no excuse for not doing it."

Tags: Software Development Methodology,  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Information security book excerpts and reviews Software piracy group offers cash to whistleblowers Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Securing Productivity Applications Software piracy group offers cash to whistleblowers How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Quiz: How to build secure applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary