How to develop software the secure, Gary McGraw way
A comprehensive collection of articles, videos and more, hand-picked by our editors
We're in the dog days of summer, a perfect time to look around and take stock, carefully considering major trends and their effect on the enterprise and adjusting strategy accordingly.
During what I like to call "no-fly July," I hop off the hamster wheel of constant progress and take some time to suss out what's going on in the world. For me, this involves taking a break from airplanes, moving all of my meetings to a rock in the middle of the Shenandoah River and taking some time to read and think.
This year, five major technology trends provide a framework for my thinking about software security and the enterprise. My goal in this article is to use BSIMM observations from the field (in particular calling out a number of the 111 specific BSIMM activities) to illustrate, flesh out and inform a technology trends discussion and angle the trends toward software security.
1. Software in everything
There are few modern systems that don't use software, and their number is dwindling fast. Software has become the lifeblood of the modern enterprise and is busy soaking into the roots of everything -- things we use, things we ride in and even things we put inside our bodies.
Modern televisions are more like computers than the simple receiver/monitor pairs that they were only ten years ago. A smart TV can help you manage your home media, connect to cloud services and show you the latest content conjured up by Netflix, but it also provides yet another entry point for hackers.
Building secure software demands the same activities, no matter whether you are a multinational bank, a chip manufacturer or a global software house. … Not doing software security yet? You're falling way behind.
Same goes for cars. Your modern vehicle has an onboard network of processors, drive by wire, and onboard entertainment; it also has (or will soon have) Internet connectivity, Wi-Fi capability and satellite control. University of South Carolina Professor Wenyuan Xu (Silver Bullet security podcast guest number 86) and her students have demonstrated just how vulnerable car-based computer systems are by hacking into the engine controller from the tire-monitoring system, and that's merely scratching the surface.
Finally, and more to the heart of the matter (quite literally), medical devices of all kinds have lots of embedded software in them. Medical device manufacturers are scrambling to address security even as their sensors are becoming increasingly integrated -- and their devices are all network-enabled these days. University of Michigan Professor Kevin Fu's Archimedes project is aimed directly at securing medical systems of all kinds.
What does this mean for the field of software security? Simply put, it is an expansion into new verticals. As the BSIMM shows, there are no special snowflakes when it comes to how to approach software security. Building secure software demands the same activities, no matter whether you are a multinational bank, a chip manufacturer or a global software house. Want to know how the big firms approach software security and how your firm stacks up? Use the BSIMM. Not doing software security yet? You're falling way behind.
2. Unification of the feeds (information to knowledge)
Speaking of software security initiatives, one somewhat disturbing side effect of computer security is the production of too much information. Almost all processes in the modern world have this property, and computer security is no exception. Smart CSOs constantly ask how to take all the data and turn it into risk management actions?
Two BSIMM activities in particular address the idea of collecting and unifying software security information from many diverse activities into a software portfolio view: SM2.1, "Publish data about software security internally" (practiced by 21 of 51 firms), and SM3.1, "Use an internal tracking application with portfolio view" (practiced by 15 or 51 firms).
A portfolio-level view is important to software security for many reasons, not the least of which is the deluge of data. The days of a haphazard pen test of only one or two "high-risk" apps by metal-faced pen testers with blue hair are drawing to a close. In the shock of all shockers, it turns out that all of your applications are connected to the Internet! That means you must get some level of security coverage for your entire portfolio, understand where in the software development lifecycle (SDL) things are working and where they are failing, and improve the SDL through feedback. Cloud services that provide simplified security analysis, say, black box pen testing for Web apps, are extremely helpful in attaining portfolio coverage. Don't forsake depth in the name of breadth, but don't discount breadth too heavily either.
3. BYOD (or else)
By now your firm has a BYOD policy. Right?
Your employees don't care. They are going to bring their own devices in and connect to the network regardless of what that policy says. Your policy needs to acknowledge that reality and plan for not only the security implications of the devices themselves, but also the personal cloud apps and services your employees are using on their devices. Make no mistake about it: The Internet of Things will be controlled by mobile and other nontraditional computing devices. No more mouse; no more laptop.
To be sure, mobile security is important and its effect on software security is real, but it is not really a fundamental sea change (it's more like a flavor of the decade). The BSIMM explicitly calls the trend and others like it out in AM2.2, "Create technology-specific attack patterns" (practiced by 13 of 51 firms).
You can enhance endpoint security (in tablets and phones) with data protection regimes, noted in AM1.2, "Create a data classification scheme and inventory" (practiced by 31 of 51 firms), code signing, emphasized in SE2.4, "Use code signing" (practiced by 23 of 51 firms) and code protection mechanisms called for in SE3.2, "Use code protection" (practiced by 11 of 51 firms).
Ultimately, the endpoints (including mobile devices) probably matter less than the cloud between them matters. And this trend will continue, though don't forget about the network in the middle. At design time, make sure to consider attacker in the middle, replay, lockout, starvation and other such attacks. Helpful guidance in these areas can be found in SR2.3, "Create standards for technology stacks" (practiced by 18 of 51 firms).
4. Ultra-rapid development
Think agile software development is fast? It gets even worse. Some ultra-rapid development groups move so fast these days that they roll their production servers with new code every four hours or so.
What is a security team to do? When is there time for a review (code or otherwise)? And how can a review be compressed in time to fit this approach? (In some sense, these firms are following a "bob and weave" security approach, moving so fast that attackers have a hard time landing a punch. So far this seems to have worked OK, though I expect a quick TKO should the attackers actually land a punch.)
What does this mean for software security? More demand for cloud services, lightweight security analysis built directly into developers' desktops, and touchpoints that can be carried out rapidly. As software security continues to scale, attention to this trend is critical. Lightweight automated penetration testing is a good example of a scalable security touchpoint. The BSIMM offers guidance in PT2.3, "Schedule periodic penetration tests for application coverage" (practiced by 24 of 51 firms).
5. Big data, Big Brother, and avoiding the NSA dragnet
Has big data met Big Brother? Of course it has. And they like each other. The NSA is vacuuming up so much trap-and-trace info, pen data and header information from Americans' phone calls, email and Facebook posts that the only way to handle it all is by creating a huge noSQL database that gets queried when the secret FISA court approves. Get this straight: They collect all of this data now and only look over it and/or paw through it when they feel like it.
Now that we know about all of the data being collected by intelligence agencies "for our own protection" or so they say, is privacy dead? If your firm has some secrets to keep, how will you keep them?
This is an issue that will take some work to address. If we can't trust our own government (which is in theory made up of us), exactly who or what can we trust? Fortunately, just as high-frequency traders and the black pools traders have thwarted SEC oversight by outstripping it technologically, there are likely similar privacy protection techniques that can be adopted to thwart Big Brother.
Ultimately, new techniques will need to be fed back into the SDL as it evolves, but for now, the best advice can be found in BSIMM practices CMVM3.2, "Enhance the SSDL to prevent software bugs found in operations" (practiced by 6 of 51 firms).
How do these trends affect your firm's strategy?
Understanding major technology trends is only a useful exercise if you take the trends to heart and adjust your enterprise strategy. How will these five trends affect the security of your organization? And, more important, what are you going to do about it when it comes to securing the software you're building? Now is the time to figure it out.
About the author:
Gary McGraw, Ph.D., is CTO of software security consulting firm Cigital Inc. He is a globally recognized authority on software security and the author of eight best-selling books on this topic.