Code name: Secure software

Code writers now occupy the front line in the battleground of software security as the defense shifts from perimeter protection to prevention function that's built in during the application development phase.

How these new frontline fighters are able to fortify applications will ultimately determine how much or how little additional security will be needed throughout the rest of IT. In this next stage of the war against malicious IT attacks, security defense begins in application coding.

And like soldiers going into battle, the ability of source code developers to fend off attackers will be as good as the weapons and ammunition at their disposal.

A recent Microsoft survey of its in-house business software developers found that 64 per cent of them say they don't feel confident enough to write secure applications. It brings into question whether software companies provide enough of the necessary tools and training that allow developers to write more secure code.

At last month's RSA Conference in San Jose, IT security professionals from both the business world and academia agreed that, when it comes to software security, the industry could and should do a lot more.

Experts believe fortifying the entire software security chain begins at the first link -- in the writing of application code. Secure coding lets software companies minimize or prevent application vulnerabilities, says Howard Schmidt, CEO, R&H Security Consulting in Issaquah, Wash. and a former White House cybersecurity advisor.

One of the first steps in secure code development is performing analysis, which involves a review of the code as it's written, Schmidt says. Some source code analysis tools in the market automate the process by running code against a long list of known vulnerabilities and remove the flaws as these are detected. Automated testing is key, says Schmidt, especially if developers are dealing with millions of lines of coding.

Penetration testing follows after the code is compiled and created into a binary and executable file. This test probes the application by simulating real-world attacks to identify flaws that can potentially be exploited.

Another step, says Schmidt, is testing the application in a production environment to ensure that the software security level is not diminished as a result of software buyers writing their own applications that interface with the product.

"The individual coder has to understand the environment in which he is going to be operating and make sure that he pays better attention to (writing) secure coding," says Schmidt, a former CSO for both Microsoft and eBay.

But secure code development may not be a priority requirement for some software companies. In some cases, programmers are pressured to make compromises in order to meet deadlines, budgets and innovation demands, says Schmidt.

The software industry's tendency to rush products to market is a contributor to generally poor software security, says Jeff Williams, CEO of Aspect Security, a firm that specializes in custom applications security. "It seems to me that we're rushing into new areas much faster than the security community can establish best practices."

It's a problem which code writers face as they struggle to develop new applications with specific functionalities and within a narrow timeframe, Schmidt says.

He says the most major complaint heard from code writers in authoring more secure applications is the tremendous pressure under which they are placed in order to get applications to market sooner, with more features and in less time.

Schmidt is quick to add, however, that for the sake of building more secure products responsible software companies are adopting a "time-flexible" approach. That means no application will be released prematurely.

"Overall, good employers are saying, 'I understand there's a time cycle we have to work with, but we're not going to wind up undermining security to get something out the door quicker.'

"That's a good thing because they're placing more attention on security," says Schmidt.

While Schmidt applauds the increased focus on software security, Aspect Security's Williams is not so optimistic. He says the industry still has not learned from past mistakes and says application security "hasn't improved and might be getting worse."

"The whole market is working to (improve) the level of security that exists in software that we are currently getting, which is really not very good," says Williams.

Most service agreements between software buyers and vendors lack security provisions. When software buyers don't demand secure software, a vendor might be encouraged to think security isn't an important consideration, Williams explains.

He says it is essential to place security provisions in service contracts. These should spell out which party bears the burden of liability should any security breach occurs.

Schmidt seems to disagree, however, and says the market will police itself by demanding greater security built into software. Litigation alone will not solve the problem, he says.

"I don't think (legal recourse) is necessary," he says. "We are very much in a mode where the market has responded, and in a market-driven society, you find you get your best results by letting the market drive the direction."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mari-Len De Guzman

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?