Code name: Secure software

Code writers now occupy the front line in the battleground of software security as the defense shifts from perimeter protection to prevention function that's built in during the application development phase.

How these new frontline fighters are able to fortify applications will ultimately determine how much or how little additional security will be needed throughout the rest of IT. In this next stage of the war against malicious IT attacks, security defense begins in application coding.

And like soldiers going into battle, the ability of source code developers to fend off attackers will be as good as the weapons and ammunition at their disposal.

A recent Microsoft survey of its in-house business software developers found that 64 per cent of them say they don't feel confident enough to write secure applications. It brings into question whether software companies provide enough of the necessary tools and training that allow developers to write more secure code.

At last month's RSA Conference in San Jose, IT security professionals from both the business world and academia agreed that, when it comes to software security, the industry could and should do a lot more.

Experts believe fortifying the entire software security chain begins at the first link -- in the writing of application code. Secure coding lets software companies minimize or prevent application vulnerabilities, says Howard Schmidt, CEO, R&H Security Consulting in Issaquah, Wash. and a former White House cybersecurity advisor.

One of the first steps in secure code development is performing analysis, which involves a review of the code as it's written, Schmidt says. Some source code analysis tools in the market automate the process by running code against a long list of known vulnerabilities and remove the flaws as these are detected. Automated testing is key, says Schmidt, especially if developers are dealing with millions of lines of coding.

Penetration testing follows after the code is compiled and created into a binary and executable file. This test probes the application by simulating real-world attacks to identify flaws that can potentially be exploited.

Another step, says Schmidt, is testing the application in a production environment to ensure that the software security level is not diminished as a result of software buyers writing their own applications that interface with the product.

"The individual coder has to understand the environment in which he is going to be operating and make sure that he pays better attention to (writing) secure coding," says Schmidt, a former CSO for both Microsoft and eBay.

But secure code development may not be a priority requirement for some software companies. In some cases, programmers are pressured to make compromises in order to meet deadlines, budgets and innovation demands, says Schmidt.

The software industry's tendency to rush products to market is a contributor to generally poor software security, says Jeff Williams, CEO of Aspect Security, a firm that specializes in custom applications security. "It seems to me that we're rushing into new areas much faster than the security community can establish best practices."

It's a problem which code writers face as they struggle to develop new applications with specific functionalities and within a narrow timeframe, Schmidt says.

He says the most major complaint heard from code writers in authoring more secure applications is the tremendous pressure under which they are placed in order to get applications to market sooner, with more features and in less time.

Schmidt is quick to add, however, that for the sake of building more secure products responsible software companies are adopting a "time-flexible" approach. That means no application will be released prematurely.

"Overall, good employers are saying, 'I understand there's a time cycle we have to work with, but we're not going to wind up undermining security to get something out the door quicker.'

"That's a good thing because they're placing more attention on security," says Schmidt.

While Schmidt applauds the increased focus on software security, Aspect Security's Williams is not so optimistic. He says the industry still has not learned from past mistakes and says application security "hasn't improved and might be getting worse."

"The whole market is working to (improve) the level of security that exists in software that we are currently getting, which is really not very good," says Williams.

Most service agreements between software buyers and vendors lack security provisions. When software buyers don't demand secure software, a vendor might be encouraged to think security isn't an important consideration, Williams explains.

He says it is essential to place security provisions in service contracts. These should spell out which party bears the burden of liability should any security breach occurs.

Schmidt seems to disagree, however, and says the market will police itself by demanding greater security built into software. Litigation alone will not solve the problem, he says.

"I don't think (legal recourse) is necessary," he says. "We are very much in a mode where the market has responded, and in a market-driven society, you find you get your best results by letting the market drive the direction."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mari-Len De Guzman

Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?