Code name: Secure software

Code writers now occupy the front line in the battleground of software security as the defense shifts from perimeter protection to prevention function that's built in during the application development phase.

How these new frontline fighters are able to fortify applications will ultimately determine how much or how little additional security will be needed throughout the rest of IT. In this next stage of the war against malicious IT attacks, security defense begins in application coding.

And like soldiers going into battle, the ability of source code developers to fend off attackers will be as good as the weapons and ammunition at their disposal.

A recent Microsoft survey of its in-house business software developers found that 64 per cent of them say they don't feel confident enough to write secure applications. It brings into question whether software companies provide enough of the necessary tools and training that allow developers to write more secure code.

At last month's RSA Conference in San Jose, IT security professionals from both the business world and academia agreed that, when it comes to software security, the industry could and should do a lot more.

Experts believe fortifying the entire software security chain begins at the first link -- in the writing of application code. Secure coding lets software companies minimize or prevent application vulnerabilities, says Howard Schmidt, CEO, R&H Security Consulting in Issaquah, Wash. and a former White House cybersecurity advisor.

One of the first steps in secure code development is performing analysis, which involves a review of the code as it's written, Schmidt says. Some source code analysis tools in the market automate the process by running code against a long list of known vulnerabilities and remove the flaws as these are detected. Automated testing is key, says Schmidt, especially if developers are dealing with millions of lines of coding.

Penetration testing follows after the code is compiled and created into a binary and executable file. This test probes the application by simulating real-world attacks to identify flaws that can potentially be exploited.

Another step, says Schmidt, is testing the application in a production environment to ensure that the software security level is not diminished as a result of software buyers writing their own applications that interface with the product.

"The individual coder has to understand the environment in which he is going to be operating and make sure that he pays better attention to (writing) secure coding," says Schmidt, a former CSO for both Microsoft and eBay.

But secure code development may not be a priority requirement for some software companies. In some cases, programmers are pressured to make compromises in order to meet deadlines, budgets and innovation demands, says Schmidt.

The software industry's tendency to rush products to market is a contributor to generally poor software security, says Jeff Williams, CEO of Aspect Security, a firm that specializes in custom applications security. "It seems to me that we're rushing into new areas much faster than the security community can establish best practices."

It's a problem which code writers face as they struggle to develop new applications with specific functionalities and within a narrow timeframe, Schmidt says.

He says the most major complaint heard from code writers in authoring more secure applications is the tremendous pressure under which they are placed in order to get applications to market sooner, with more features and in less time.

Schmidt is quick to add, however, that for the sake of building more secure products responsible software companies are adopting a "time-flexible" approach. That means no application will be released prematurely.

"Overall, good employers are saying, 'I understand there's a time cycle we have to work with, but we're not going to wind up undermining security to get something out the door quicker.'

"That's a good thing because they're placing more attention on security," says Schmidt.

While Schmidt applauds the increased focus on software security, Aspect Security's Williams is not so optimistic. He says the industry still has not learned from past mistakes and says application security "hasn't improved and might be getting worse."

"The whole market is working to (improve) the level of security that exists in software that we are currently getting, which is really not very good," says Williams.

Most service agreements between software buyers and vendors lack security provisions. When software buyers don't demand secure software, a vendor might be encouraged to think security isn't an important consideration, Williams explains.

He says it is essential to place security provisions in service contracts. These should spell out which party bears the burden of liability should any security breach occurs.

Schmidt seems to disagree, however, and says the market will police itself by demanding greater security built into software. Litigation alone will not solve the problem, he says.

"I don't think (legal recourse) is necessary," he says. "We are very much in a mode where the market has responded, and in a market-driven society, you find you get your best results by letting the market drive the direction."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mari-Len De Guzman

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?