Secure software: The source of the problem is the solution

The security products industry has created some great defenses for protecting technology that can be walled off from non-trusted outsiders. Firewalls, VPNs and strong authentication are mature technologies that work well to wall off vulnerable software where possible.

But security product defenses fall short when protecting technology that needs to be exposed to non-trusted (or less trusted) outsiders. These are your potential customers, current customers, partners and suppliers. Web applications and e-mail are examples of this type of software and are a major source of security vulnerabilities.

The class of software that can't rely on network defenses needs to take care of its own security. The source of the problem needs to be the source of the solution, the software itself.

Currently the software industry is creating secure software in reactive mode. Every time you download a patch and update your computer to make it more secure, you are downloading a correction to a piece of software your computer runs. The timeline leading up to the correction usually goes like this:

1. Vendor ships software with latent security flaw.
2. Vulnerability researcher discovers the flaw through manual testing and reports it to the vendor.
3. A maintenance engineer at the vendor reproduces the flaw and tracks down the place in the source code where the original programmer made a coding error.
4. The engineer fixes the problem in the source code, builds a patch and runs a regression testing suite to make sure the fix didn't break anything else.
5. The vendor issues a patch and notifies customers.
6. Attackers develop exploits and compromise vulnerable computers.
7. Customer downloads patch, potentially runs his/her own test suite and then deploys the patch on each vulnerable computer.

If there was a way to identify the problem in the source code before the software shipped to customers, large expenses would be saved by both vendors and customers. A NIST study, "The Economic Impacts of Inadequate Infrastructure for Software Testing, 2002," put the cost of fixing a bug in the field at $30,000 vs. $5,000 during coding. That study only takes into account the vendor's cost. A much larger cost is borne by software users: the cost of cleaning up worms, viruses and other intrusions, and keeping systems patched. For minor vulnerabilities customer costs are in the millions. For major worm outbreaks the costs can range into the billions.

Luckily we are not doomed to a costly reactive approach. There is a way to prevent most security flaws during the original production of the software. It's called secure coding. There are well known classes of coding flaws that any programmer can easily learn to identify and avoid. Most of it is just good programming practices such as correctly sizing buffers, checking function return codes, and using platform security and crypto API's properly. Most insecure code is simply sloppy code.

Software customers can save time and money by demanding that their vendors fix flaws up front with secure coding and not subject them to costly and seemingly endless worm and virus remediation and patching regimens.

About the author
Chris Wysopal is VP of R&D at @stake Inc., a digital security consulting firm based in Cambridge, Mass. He is a founding member of the Organization for Internet Safety.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Guest Commentary,   Software Development Methodology,   Application and Platform Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? Software Development Methodology Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.