For years, information security pros have struggled to evangelize the need for secure software development, an...
area of emphasis for few organizations, but one that infosec experts know is critical to preventing application exploits.
At long last, software developers are slowly increasing their knowledge of software code security practices, creating better quality applications with fewer errors. While most admit that bugs will never be driven completely out of software, recent technology improvements and process changes outlined in various frameworks and methodologies are being implemented by developers and software vendors alike, and the result is cleaner, more secure code.
“We’ve come a long way, but we’ve still got work to do,” said Gary McGraw, CTO of Cigital Inc. McGraw noted that there are now thousands of developers who have been trained in secure software development, a major improvement in just a few years. “There is now a whole class of people that number in the thousands of software security professionals.”
McGraw, widely considered the information security industry’s foremost advocate for secure software development, is developing the third iteration of the Building Security in Maturity Model (BSIMM), which provides a way for major software firms to document how they incorporate security controls into the software development lifecycle.
You don’t have to implement the full SDL model in order to significantly improve the quality of your products.
Ari Takanen, founder and CTO of CodenomiconLtd.
Software security vulnerabilities have taken center stage in recent years as attackers have set their sights on zero-day flaws, unknown and unpatched coding errors that can be exploited to gain access to servers containing sensitive data. Adobe Systems Inc., whose Flash software is ubiquitous, is a favorite of attackers. The latest high-profile data breach involved RSA, the security division of EMC Corp., which was infiltrated by an attacker using an Adobe Flash Player zero-day vulnerability. Meanwhile, Microsoft continues to be plagued by coding errors in its products. Stuxnet, which targeted Siemens industrial control systems in some nuclear power plants, was programmed to use four zero-day vulnerabilities in Microsoft Windows. Security experts say the availability of free software testing tools enable attackers to find and use coding errors for their criminal pursuits.
Despite the plague of software zero-day vulnerabilities, McGraw said his BSIMM has helped foster progress at some high-profile firms. He counts as many as 2,000 people within the software security groups at the 33 BSIMM companies measured by the model. Organizations are now starting to take multiple measurements of their progress, he said. Bank of America is taking nine BSIMM measurements across its eight major divisions. McKesson Corp., also a member of BSIMM, is also taking multiple measurements.
“Now we can compare the progress at different divisions at Bank of America and at the highest levels, do some strategizing and do some planning about software security at a big gigantic firm,” McGraw said.
Tools help foster organizational change
Application security vendors, firms that sell static and dynamic code-testing tools to help customers find application vulnerabilities, have been on a crusade in recent years to get software makers to realize the value in creating more secure products and urge customers to demand higher quality code. Their efforts may be paying off, according to experts interviewed by SearchSecurity.com.
“We’re seeing companies of all sizes starting to use fuzzing tools because they are probably the easiest, fastest and cheapest way to get started,” said Ari Takanen, founder and CTO of Codenomicon Ltd., which focuses on fuzzing tools for telecommunications and network software. “You don’t have to implement the full SDL model in order to significantly improve the quality of your products.”
Companies typically get tied up in the culture change issues, not the technical issues, when it comes to injecting security into the software development processes, said David Ladd, principle security program manager in the security engineering strategy team at Microsoft.
The software giant has been a pioneer in secure software development and has long documented it with its Security Development Lifecycle (SDL). Making the process public was a quick decision, Ladd said, because the company was under fire to make improvements in the early 2000s and had customers asking how it secured its software. Many companies, including Adobe Systems Inc., whose software has been constantly targeted by attackers, are using the SDL as a blueprint to improve their processes, and enterprises with robust internal software development programs have done so as well. But can the SDL be used by smaller organizations on a limited budget?
“You do not have to be an enterprise developer or have enterprise development resources to be able to do the SDL,” Ladd said. “Depending on the organization, the ultimate beginning is in understanding your organization and what your capability is at that time. Trying to do it all at once is sort of a recipe for disaster.”
Evangelism, training still needed
Results of a recent software security study conducted by Veracode Inc. found there is still a lot of work to be done. Of 4,835 applications submitted to the firm for analysis, 58% had “unacceptable security quality,” according to a report the firm issued April 18. Commercial software makers and security vendors also fared poorly. Veracode found that 66% of software vendor applications had unacceptable security quality, and a surprising 72% of security software met the same poor ranking.
“In smaller companies and in enterprises, I think we’re still in an evangelism phase,” said Chris Wysopal, co-founder and CTO of Veracode. “I don’t think they understand the value of securing the software before you ship it and I think the industry is still evolving.”
For companies on a limited budget, Wysopal said security awareness training focused on software development teams is a good place to start. Targeted e-learning for specific software languages can vastly improve security awareness and give companies a big bang for the buck, he said. Smaller companies, he said, likely won’t be able to hire dedicated software security experts or even consultants to get up to speed. Low cost and free tools are available and many application security vendors sell Software as a Service technologies, which help limit expenses. Wysopal recommends static analysis testing to detect more issues earlier in the development lifecycle and also see how to fix vulnerabilities.
Software security improvements generally began with the development of black-box testing technologies, which focused on penetration testing or finding errors at the end of the software lifecycle. Watchfire, which made the AppScan black-box testing tool, was acquired by IBM in 2007. Hewlett-Packard Co. followed by acquiring black-box testing firm SpyDynamics.
Automation continued with the rollout of white-box static-analysis tools that conduct a more thorough scan of the code. “The technology is a winner,” said Cigital’s McGraw. The proof? IBM acquired Ounce Labs and HP acquired Fortify Software in 2010.
“The breadth of the market that can be addressed by these tools has gone up significantly,” McGraw said. “It’s helping get into the broad midmarket to small and midsized businesses that can get access and use these tools.”
The future, according to McGraw, is in technologies that can automate architectural risk analysis and threat modeling. Tools are slowly being developed to help companies understand their systems from a data flow perspective and apply a risk-based approach against secure software development processes.
“I believe that the room for startups there has to do with figuring out flaws and writing those flaws down so you can consistently apply them to your design and then being able to do a better job with dependency analysis,” McGraw said. “It’s a bit more thorough, but still very difficult to do.”
The problem is tricky to automate, he said, because every company addresses risk differently. Software code security tools are trying to find where the flaws are, determine how difficult they are to exploit and how difficult they are to fix, said Chris Eng, Veracode’s senior director of security research.
“There’s nothing out there today that ties together threat modeling and assessment tools in a meaningful way,” he said. “It may be something useful to do in the future; adding context to a scan is obviously a good thing.”