Code name: Secure software

Code writers now occupy the front line in the battleground of software security as the defense shifts from perimeter protection to prevention function that's built in during the application development phase.

How these new frontline fighters are able to fortify applications will ultimately determine how much or how little additional security will be needed throughout the rest of IT. In this next stage of the war against malicious IT attacks, security defense begins in application coding.

And like soldiers going into battle, the ability of source code developers to fend off attackers will be as good as the weapons and ammunition at their disposal.

A recent Microsoft survey of its in-house business software developers found that 64 per cent of them say they don't feel confident enough to write secure applications. It brings into question whether software companies provide enough of the necessary tools and training that allow developers to write more secure code.

At last month's RSA Conference in San Jose, IT security professionals from both the business world and academia agreed that, when it comes to software security, the industry could and should do a lot more.

Experts believe fortifying the entire software security chain begins at the first link -- in the writing of application code. Secure coding lets software companies minimize or prevent application vulnerabilities, says Howard Schmidt, CEO, R&H Security Consulting in Issaquah, Wash. and a former White House cybersecurity advisor.

One of the first steps in secure code development is performing analysis, which involves a review of the code as it's written, Schmidt says. Some source code analysis tools in the market automate the process by running code against a long list of known vulnerabilities and remove the flaws as these are detected. Automated testing is key, says Schmidt, especially if developers are dealing with millions of lines of coding.

Penetration testing follows after the code is compiled and created into a binary and executable file. This test probes the application by simulating real-world attacks to identify flaws that can potentially be exploited.

Another step, says Schmidt, is testing the application in a production environment to ensure that the software security level is not diminished as a result of software buyers writing their own applications that interface with the product.

"The individual coder has to understand the environment in which he is going to be operating and make sure that he pays better attention to (writing) secure coding," says Schmidt, a former CSO for both Microsoft and eBay.

But secure code development may not be a priority requirement for some software companies. In some cases, programmers are pressured to make compromises in order to meet deadlines, budgets and innovation demands, says Schmidt.

The software industry's tendency to rush products to market is a contributor to generally poor software security, says Jeff Williams, CEO of Aspect Security, a firm that specializes in custom applications security. "It seems to me that we're rushing into new areas much faster than the security community can establish best practices."

It's a problem which code writers face as they struggle to develop new applications with specific functionalities and within a narrow timeframe, Schmidt says.

He says the most major complaint heard from code writers in authoring more secure applications is the tremendous pressure under which they are placed in order to get applications to market sooner, with more features and in less time.

Schmidt is quick to add, however, that for the sake of building more secure products responsible software companies are adopting a "time-flexible" approach. That means no application will be released prematurely.

"Overall, good employers are saying, 'I understand there's a time cycle we have to work with, but we're not going to wind up undermining security to get something out the door quicker.'

"That's a good thing because they're placing more attention on security," says Schmidt.

While Schmidt applauds the increased focus on software security, Aspect Security's Williams is not so optimistic. He says the industry still has not learned from past mistakes and says application security "hasn't improved and might be getting worse."

"The whole market is working to (improve) the level of security that exists in software that we are currently getting, which is really not very good," says Williams.

Most service agreements between software buyers and vendors lack security provisions. When software buyers don't demand secure software, a vendor might be encouraged to think security isn't an important consideration, Williams explains.

He says it is essential to place security provisions in service contracts. These should spell out which party bears the burden of liability should any security breach occurs.

Schmidt seems to disagree, however, and says the market will police itself by demanding greater security built into software. Litigation alone will not solve the problem, he says.

"I don't think (legal recourse) is necessary," he says. "We are very much in a mode where the market has responded, and in a market-driven society, you find you get your best results by letting the market drive the direction."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mari-Len De Guzman

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?