Risk
11/15/2012
03:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Fidelity Invests In Secure Software Development

No code goes live at financial services firm until it has been fully vetted

Microsoft got the ball rolling on secure software development for the commercial world, and now many of the world’s largest enterprises are picking it up and running with it, forcing many software vendors to catch up or lose the game. Fidelity Investments is one of those businesses that literally programmed secure software development into its business strategy.

Fidelity is a participant in the Building Security In Maturity Model (BSIMM) program, an ongoing, in-depth study of real-world enterprises' software security initiatives that its founders say can be used as a real-live security measurement tool. BSIMM, which was launched by Cigital, now encompasses 51 companies across financial services, ISVs, technology, and other industries.

David Smith, vice president of application security for Fidelity, says the company actually began secure coding practices in 1997. "We started secure code review when we first started putting Web apps online many years ago," Smith says. "It's always been a challenge ... are you making the right priority decisions?"

[Input validation and prepared SQL statements crucial to preventing SQL injection attacks. See The Root Of All Database Security Evils = Input.]

Smith says when Cigital approached Fidelity in 2008 to recruit the financial services firm for the very first BSIMM survey, it gave the company an opportunity to not only share its experiences and practices, but also to see how it stacked up with other companies in secure coding. "We were surprised that we had so much more in common [with other firms] than differences. It did confirm that what we were doing was in line with the industry’s best, and we could also see opportunities to improve," Smith says. "And now we could use those results to help justify some of our [project requests] and to realign resources."

Among the adjustments Fidelity has made in the wake of BSIMM: ratcheting up its security testing and architecture, Smith says. "We did focus some attention in the areas of Security Testing and Security Architecture, based on how we originally scored on the BSIMM survey, and leveraged what other leaders were doing in this space as reference. I believe we now have one of the best-of-breed solutions in both of those important practices," he says.

Businesses are starting to pressure software vendors into supplying them with more secure code as their own in-house secure development programs mature. New data from Veracode found that the number of vendors getting their applications security-tested grew nearly 50 percent during that 18-month period, much of which was prompted by prospective or existing customers requiring it.

As a matter of fact, big enterprises are starting to mentor smaller independent software vendors on secure coding, says Sammy Migues, a principal at Cigital who works on the BSIMM. "We hear anecdotally that a lot of firms feel or claim or have numbers to back up that there are more bugs in others' code than in their own code," Migues says.

Fidelity uses penetration testing and static-code analysis tools to vet its software code. And Smith says his company has seen fewer vulnerabilities in its code. "We do measure the number of vulnerabilities per thousand lines of code. I can't give you the exact number, but we've seen that metric greatly improving," he says.

Key to that improvement has been security training of its developers, he says, as well as automating secure development procedures. Fidelity also has buy-in from the top levels of management: "Our culture takes security very seriously, and we have a lot of support from executive management," Smith says. "We require that all of our code gets secure code reviewed prior to adoption. When we find security issues ... those findings get CIO attention," he says. "And CIOs review on a monthly basis with the CISO the status of all the applications." But Smith notes that recruiting security-minded developers remains difficult. "The academic environment is still not producing enough adequately trained secure developers. So with newly hired developers we have assumed the role of training them how to develop more securely," he says.

Despite the regular flow of bugs and breaches, software overall is getting cleaner and more secure, experts say. But the volume of code is increasing, too.

"We are in face getting better at software security. That's what's subtly happening. The defect density ratio is going down: There are fewer bugs per square inch," says Gary McGraw, CTO of Cigital and one of the founders of BSIMM. "We are still building lots more software, so we have way more square miles of code than ever before."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Don4
50%
50%
Don4,
User Rank: Apprentice
11/17/2012 | 2:54:03 PM
re: Fidelity Invests In Secure Software Development
Adobe is another participant of Cigital's BSIMM.-á The benefits appear to be minimal: http://www.darkreading.com/sec...
macker490
50%
50%
macker490,
User Rank: Ninja
11/16/2012 | 4:52:05 PM
re: Fidelity Invests In Secure Software Development
they will need to do 1 more thing: provide a "Live CD" e.g. Linux/Ubuntu or Chromebook so the user can work from a KNOWN software inventory.

it is essential to secure BOTH ends of the link.

remember: most hacks are from the ENDPOINT,-- using the Endpoint's credentials effected by the use of un-authoriozed program changes into the victim machine.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web