Risk
11/15/2012
03:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Fidelity Invests In Secure Software Development

No code goes live at financial services firm until it has been fully vetted

Microsoft got the ball rolling on secure software development for the commercial world, and now many of the world’s largest enterprises are picking it up and running with it, forcing many software vendors to catch up or lose the game. Fidelity Investments is one of those businesses that literally programmed secure software development into its business strategy.

Fidelity is a participant in the Building Security In Maturity Model (BSIMM) program, an ongoing, in-depth study of real-world enterprises' software security initiatives that its founders say can be used as a real-live security measurement tool. BSIMM, which was launched by Cigital, now encompasses 51 companies across financial services, ISVs, technology, and other industries.

David Smith, vice president of application security for Fidelity, says the company actually began secure coding practices in 1997. "We started secure code review when we first started putting Web apps online many years ago," Smith says. "It's always been a challenge ... are you making the right priority decisions?"

[Input validation and prepared SQL statements crucial to preventing SQL injection attacks. See The Root Of All Database Security Evils = Input.]

Smith says when Cigital approached Fidelity in 2008 to recruit the financial services firm for the very first BSIMM survey, it gave the company an opportunity to not only share its experiences and practices, but also to see how it stacked up with other companies in secure coding. "We were surprised that we had so much more in common [with other firms] than differences. It did confirm that what we were doing was in line with the industry’s best, and we could also see opportunities to improve," Smith says. "And now we could use those results to help justify some of our [project requests] and to realign resources."

Among the adjustments Fidelity has made in the wake of BSIMM: ratcheting up its security testing and architecture, Smith says. "We did focus some attention in the areas of Security Testing and Security Architecture, based on how we originally scored on the BSIMM survey, and leveraged what other leaders were doing in this space as reference. I believe we now have one of the best-of-breed solutions in both of those important practices," he says.

Businesses are starting to pressure software vendors into supplying them with more secure code as their own in-house secure development programs mature. New data from Veracode found that the number of vendors getting their applications security-tested grew nearly 50 percent during that 18-month period, much of which was prompted by prospective or existing customers requiring it.

As a matter of fact, big enterprises are starting to mentor smaller independent software vendors on secure coding, says Sammy Migues, a principal at Cigital who works on the BSIMM. "We hear anecdotally that a lot of firms feel or claim or have numbers to back up that there are more bugs in others' code than in their own code," Migues says.

Fidelity uses penetration testing and static-code analysis tools to vet its software code. And Smith says his company has seen fewer vulnerabilities in its code. "We do measure the number of vulnerabilities per thousand lines of code. I can't give you the exact number, but we've seen that metric greatly improving," he says.

Key to that improvement has been security training of its developers, he says, as well as automating secure development procedures. Fidelity also has buy-in from the top levels of management: "Our culture takes security very seriously, and we have a lot of support from executive management," Smith says. "We require that all of our code gets secure code reviewed prior to adoption. When we find security issues ... those findings get CIO attention," he says. "And CIOs review on a monthly basis with the CISO the status of all the applications." But Smith notes that recruiting security-minded developers remains difficult. "The academic environment is still not producing enough adequately trained secure developers. So with newly hired developers we have assumed the role of training them how to develop more securely," he says.

Despite the regular flow of bugs and breaches, software overall is getting cleaner and more secure, experts say. But the volume of code is increasing, too.

"We are in face getting better at software security. That's what's subtly happening. The defect density ratio is going down: There are fewer bugs per square inch," says Gary McGraw, CTO of Cigital and one of the founders of BSIMM. "We are still building lots more software, so we have way more square miles of code than ever before."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Don4
50%
50%
Don4,
User Rank: Apprentice
11/17/2012 | 2:54:03 PM
re: Fidelity Invests In Secure Software Development
Adobe is another participant of Cigital's BSIMM.-Š The benefits appear to be minimal: http://www.darkreading.com/sec...
macker490
50%
50%
macker490,
User Rank: Ninja
11/16/2012 | 4:52:05 PM
re: Fidelity Invests In Secure Software Development
they will need to do 1 more thing: provide a "Live CD" e.g. Linux/Ubuntu or Chromebook so the user can work from a KNOWN software inventory.

it is essential to secure BOTH ends of the link.

remember: most hacks are from the ENDPOINT,-- using the Endpoint's credentials effected by the use of un-authoriozed program changes into the victim machine.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.