Risk
11/15/2012
03:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Fidelity Invests In Secure Software Development

No code goes live at financial services firm until it has been fully vetted

Microsoft got the ball rolling on secure software development for the commercial world, and now many of the world’s largest enterprises are picking it up and running with it, forcing many software vendors to catch up or lose the game. Fidelity Investments is one of those businesses that literally programmed secure software development into its business strategy.

Fidelity is a participant in the Building Security In Maturity Model (BSIMM) program, an ongoing, in-depth study of real-world enterprises' software security initiatives that its founders say can be used as a real-live security measurement tool. BSIMM, which was launched by Cigital, now encompasses 51 companies across financial services, ISVs, technology, and other industries.

David Smith, vice president of application security for Fidelity, says the company actually began secure coding practices in 1997. "We started secure code review when we first started putting Web apps online many years ago," Smith says. "It's always been a challenge ... are you making the right priority decisions?"

[Input validation and prepared SQL statements crucial to preventing SQL injection attacks. See The Root Of All Database Security Evils = Input.]

Smith says when Cigital approached Fidelity in 2008 to recruit the financial services firm for the very first BSIMM survey, it gave the company an opportunity to not only share its experiences and practices, but also to see how it stacked up with other companies in secure coding. "We were surprised that we had so much more in common [with other firms] than differences. It did confirm that what we were doing was in line with the industry’s best, and we could also see opportunities to improve," Smith says. "And now we could use those results to help justify some of our [project requests] and to realign resources."

Among the adjustments Fidelity has made in the wake of BSIMM: ratcheting up its security testing and architecture, Smith says. "We did focus some attention in the areas of Security Testing and Security Architecture, based on how we originally scored on the BSIMM survey, and leveraged what other leaders were doing in this space as reference. I believe we now have one of the best-of-breed solutions in both of those important practices," he says.

Businesses are starting to pressure software vendors into supplying them with more secure code as their own in-house secure development programs mature. New data from Veracode found that the number of vendors getting their applications security-tested grew nearly 50 percent during that 18-month period, much of which was prompted by prospective or existing customers requiring it.

As a matter of fact, big enterprises are starting to mentor smaller independent software vendors on secure coding, says Sammy Migues, a principal at Cigital who works on the BSIMM. "We hear anecdotally that a lot of firms feel or claim or have numbers to back up that there are more bugs in others' code than in their own code," Migues says.

Fidelity uses penetration testing and static-code analysis tools to vet its software code. And Smith says his company has seen fewer vulnerabilities in its code. "We do measure the number of vulnerabilities per thousand lines of code. I can't give you the exact number, but we've seen that metric greatly improving," he says.

Key to that improvement has been security training of its developers, he says, as well as automating secure development procedures. Fidelity also has buy-in from the top levels of management: "Our culture takes security very seriously, and we have a lot of support from executive management," Smith says. "We require that all of our code gets secure code reviewed prior to adoption. When we find security issues ... those findings get CIO attention," he says. "And CIOs review on a monthly basis with the CISO the status of all the applications." But Smith notes that recruiting security-minded developers remains difficult. "The academic environment is still not producing enough adequately trained secure developers. So with newly hired developers we have assumed the role of training them how to develop more securely," he says.

Despite the regular flow of bugs and breaches, software overall is getting cleaner and more secure, experts say. But the volume of code is increasing, too.

"We are in face getting better at software security. That's what's subtly happening. The defect density ratio is going down: There are fewer bugs per square inch," says Gary McGraw, CTO of Cigital and one of the founders of BSIMM. "We are still building lots more software, so we have way more square miles of code than ever before."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Don4
50%
50%
Don4,
User Rank: Apprentice
11/17/2012 | 2:54:03 PM
re: Fidelity Invests In Secure Software Development
Adobe is another participant of Cigital's BSIMM.-á The benefits appear to be minimal: http://www.darkreading.com/sec...
macker490
50%
50%
macker490,
User Rank: Ninja
11/16/2012 | 4:52:05 PM
re: Fidelity Invests In Secure Software Development
they will need to do 1 more thing: provide a "Live CD" e.g. Linux/Ubuntu or Chromebook so the user can work from a KNOWN software inventory.

it is essential to secure BOTH ends of the link.

remember: most hacks are from the ENDPOINT,-- using the Endpoint's credentials effected by the use of un-authoriozed program changes into the victim machine.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.