Manage Learn to apply best practices and optimize your operations.

Enterprise security in 2008: Building trust into the application development process

The Storm botnet, launched a year ago, proved that malicious hackers were developing more sophisticated botnets -- and more sophisticated business strategies. As Michael Cobb explains, it's just one reason why application security pros need to keep a closer eye on their organizations' code-builders in 2008.

This tip is part of's Enterprise Security 2008 Learning Guide.

Information security in 2007 stood out from previous years because of the growing commercialization of malware. The Storm botnet launched in January, for example, and it is now estimated to encompass anywhere between one and five million compromised PCs. There are strong signs that this infrastructure is now being split up and sold off as well. Botnets have been for hire for a while, but this year's malware smacks of a well-planned business strategy, and a very successful one at that.

Vendors unite!
To have any chance at taking the Internet back from the hacker community, enterprises must advocate for far better cross-vendor cooperation. At present, there are too many disparate, commercially motivated attempts to provide security products -- and the process isn't working. Unless security is seamless, hackers will exploit any gaps they find. The only way to close those gaps is for cooperating vendors to ensure that buyers can use different security products together knowing that they are compatible and work as promised across heterogeneous networks.

A good example of this problem is spam. It's a drain on Internet resources, organizational infrastructures and the average user's time, and could be dramatically curtailed with existing technologies if only the industry could agree on how to implement them. Two technologies have emerged to identify email senders: Sender Policy Network and DomainKeys Identified Mail. Both approaches have pros and cons, but unless one is adopted across the board, or better still, another method combining the best of both, spam will continue to devastate the Internet. Maybe it's even getting to the point where the problem requires a government mandate to unite all concerned parties in a common direction!

Keep your enemies close -- and your developers closer
Maybe 2008 will see a breakthrough in industry cooperation, but there is a major concern for the upcoming year that each organization will have to fight alone. As the evolution of malware becomes more commercial, competition amongst hackers will increase, and no stone will be left unturned when they look for ways to plant and execute malicious code.

For more information

Download Michael Cobb's cross-build injection attack advice to your PC or favorite mobile device.

"Geekonomics" author David Rice reveals how users can revamp the software industry's incentives to get the security that they need. 

Experts at CSI 2007 said that Web application developers need security assistance.
Last month I wrote about the problems of cross-build injection, application attacks that insert malicious code while a program is actually being compiled. This emerging threat is an example of how hackers are looking at every aspect of the application development and deployment lifecycle, finding where they can take advantage of weaknesses to plant their code.

We know that security incidents are as likely to come from inside the network as from the outside. The internal attack vector, however, has to be taken seriously. The next step up from a "cross-build" type of attack is to "inject" a malicious developer into a software house. It could also be possible to subvert an existing employee. Disgruntled employees have long been a problem in various industries, including those of software. A rogue developer embedding malicious code into commercial products would be disastrous. A backdoor built into a killer app would be devastating.

Microsoft's sixth law of Immutable Laws of Security states that "A computer is only as secure as the administrator is trustworthy." The rule can also be applied to software and developers. Sadly, staff-vetting and monitoring are going to be a growing part of security policy.

Consider advocating for full background checks prior to employing new developers, and assessing these employees at periodic intervals thereafter. The checks must include temporary employees and contractors, too.

Separation of duties in network administration is commonplace, and a separation of coding duties is needed as well. Certainly code-review duties should be completed by a different set of developers. Diversifying a developer's tasks is a way of minimizing the opportunities to subvert the development process. On the upside, it can also make a developer's day more varied and interesting.

During 2007, we saw further evidence of the increasing sophistication of the hacker community. The ingenuity of many viruses and phishing scams is now on a par with any killer apps released by the IT industry giants. Fighting back against the new threats requires a reliable team, whether it's a group of cooperative vendors or a strong development staff of dependable members. The IT industry is as smart as the hacker community; it just needs to unite behind a common purpose.

Enterprise Security 2008 Learning Guide
  Malware trends suggest new twists on old tricks
  Addressing VoIP and virtualization
  Assessing access management
  Building trust into the application development process
  Security management in 2008: What's in store

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several Security Schools and, as a site expert, answers user questions on application security and platform security.

This was last published in January 2008

Dig Deeper on Secure software development

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.