When security vulnerabilities in a vendor's software are exploited, significant costs are faced by the vendor and its software users. Software with security vulnerabilities harms an organization's reputation with customers, partners and investors. It increases costs as companies are forced to repair unreliable applications, and it delays other development efforts as limited resources are assigned to address current software deficiencies.
With the increased scrutiny of internal processes and controls resulting from mandates such as the Sarbanes-Oxley Act, executives are demanding that IT improve the development process in order to create more secure and reliable software.
Fix a flawed development process
All software has bugs, and a large number of these bugs have security implications. It's not just buggy code that is an issue. Software behavior and coding practices that were considered safe at the time of writing may now be ripe for exploitation by malicious hackers.
The problem for software development organizations is that they must simultaneously reduce software vulnerabilities while keeping operational costs in check. Plus, any new development strategy is expected to be applicable across geographically distributed teams -- including offshore service providers.
Something has to change. Software quality, and specifically software security, must be improved, and the most effective means is to address the root causes of poor software -- the defects in the source code. But to improve software, the current flawed development process must be addressed.
Start by assessing the situation
Rather than throwing more money and resources into a flawed process, companies need a new plan of action. Before implementing new processes and investing in new tools, companies should consider these steps:
Ensure information flow: A smart software development process ensures timely and effective information sharing. This enhanced knowledge improves communication between management and the development teams, allows developers to work with solid and secure architecture and coding practices, provides visibility into an application's context and its health at any point in the development life cycle, and lets IT manage software assets like other business assets.
Know the goals: A key consideration for any software security initiative is whether the goal is to audit the current state of your software's security or to implement a change in current development practices. An audit is a one-time event, while an in-process deployment can improve the security of existing applications, as well as provide the necessary experience, tools and processes to extend the concept of secure development throughout the entire development organization.
Determine strategies for new and existing code: Attempting to retrofit secure coding practices into existing code can lead to unforeseen issues. Often, the prudent course is to focus efforts on cleaning up critical, exploitable problems. In contrast, a new development environment offers the opportunity to implement secure coding practices right from the beginning.
Understand the range of security issues: These issues include: security vulnerabilities (problems that can be exploited by an attacker) and security flaws (problems that may exhibit themselves at the design level); security symptoms (theoretical threats that indicate a potential security vulnerability); and security weaknesses (nonuniform distribution of security symptoms and vulnerabilities in a given software system).
A checklist to produce high-quality, secure code
To create more-secure code, organizations can implement a six-step strategy that combines straightforward processes supported by multiple technology options. The steps are as follows:
- Conduct a software audit. An audit will uncover and help prioritize existing security vulnerabilities and code quality issues.
- Implement a "stop the bleeding" plan. The plan, accomplished by deploying an extensible, rules-based "quality/security compiler," ensures that tactical issues are addressed and enforces proper coding practices in new development.
- Perform a more detailed in-process audit. The in-depth audit looks for design and architecture weaknesses and correlates them with known security vulnerabilities. The findings are used to help plan a strategic road map.
- Convert in-process audit findings into policy. The next step is to clean up "one-time fixes" and update a rules-based security compiler to include any new policy requirements.
- Measure improvement. To gauge the initiative's success, it is imperative to monitor the trends and results from implementing the new processes and tools.
- Manage iterations of improvements. This iterative process requires repeating Steps 3 through 5. The key is to streamline the change process based on priorities, starting with the highest priority weaknesses.
Tools and techniques to support improved software development
There are several process and technology options available to support the implementation of this checklist. Organizations should invest in a combination of them to achieve the best results.
- Use, but understand the limitations of black-box testing. When addressing software security, traditional testing approaches fall short. While black-box testing will continue to play an important role in identifying and removing traditional, functional quality issues, it should not be the only tool used.
- Judiciously employ manual code reviews. Rigorous code reviews can enable detection of implementation-level security vulnerabilities but they require a disciplined methodology in order to obtain results. While manual code reviews are helpful, they can be quite costly and prone to human error.
- Use automated defect detection tools. Static analysis tools analyze source code and identify coding errors that can lead to security vulnerabilities. These tools complement traditional testing and manual code reviews.
Traditional software development is failing in today's globally networked environment. Insecure software reduces the productivity and wastes the money of businesses, and, as a result, harms the reputations and bottom lines of software producers. While an improved development process entails investment, it can be incremental and highly automated.
Just as an efficient manufacturing process can provide a competitive advantage, high-quality software development can help eliminate costly problems and improve profits. By addressing and investing in fixing the software security issue today, development companies can create a repeatable, sustainable approach for delivering consistently high-quality, secure code.
Djenana Campara is the founder and chief technology officer of Burlington, Mass.-based Klocwork Inc., a provider of static analysis software that detects software security vulnerabilities and helps improve overall software quality. Before founding Klocwork, Campara spent 11 years at Nortel Networks, advancing from senior software designer and team leader to manager and system architect. At Nortel, Campara and her team developed the technology that ultimately would lead to the founding of Klocwork. She has been awarded three U.S. patents for her software development work in creating Klocwork inSight, and has two patents pending.