One of the challenges of software security, Gary McGraw, CTO of Cigital Inc., recently said, is that "we kind of know what to do in some sense, but scaling that activity across a huge enterprise can be a challenge." The key to progress, said McGraw, a top expert in the field of secure coding, is "automating a pretty standard approach across the entire portfolio."
In this interview, recorded at the 2015 RSA Conference, SearchSecurity editorial director Robert Richardson sat down with McGraw to discuss the prospects for automation. "Both dynamic black-box testing and guided testing using scripts and fairly straightforward simple code review can all be automated," McGraw said. The people charged with carrying out the reviews need to be "directed to automate everything that can possibly be automated."
Increasingly, McGraw argued, testing has to cover all of the apps in an enterprise's application portfolio. "Too often the first approach is to [ask] 'what are my highest risk applications?' and look at those alone. But if all of your low-risk applications have a million vulnerabilities, that's going to take you down."
McGraw acknowledged that looking for bugs that cause software security problems was much more tractable as an automation project than trying to grapple with vulnerabilities caused by flaws in the application's underlying design and architecture: "Trying to scale anything like threat modeling or architectural analysis has been a massive, massive problem."
That said, McGraw noted that "there are some aspects of the threat modeling process and architecture analysis process that you can automate. For example, if in your portfolio tech stack you always rely on a similar set of COTS or similar set of modules or libraries with certain sets of flaws, you can do a very simple-minded look and say well, there are three apps that use that library, that library is susceptible to this kind of flaw, therefore I'm going to look for it."