Risk
1/9/2008
07:55 AM
50%
50%

Software Security Strategies

Four ways to kick off your organization's software security initiative in the New Year

The shift is on: Many leading firms are currently engaged in large-scale software security and application security initiatives. If your organization is not yet doing so, the best New Year’s resolution you can make for 2008 is to improve your software security.

One of the biggest challenges with software security is getting started. Every enterprise is different and there is no one-size-fits-all approach. At Cigital, we’ve helped advise and steer many software security initiatives over the last several years, and we've come up with four ways to get started. Depending on the way your enterprise is organized and run, one of these approaches should work for you: the top-down framework; portfolio risk; training first; and leading with a tool.

Software has become the lifeblood of industry, and software defects have likewise shifted from mere technical annoyances to real business problems with huge financial ramifications. Over the last several years, some organizations have begun to realize the magnitude of the software problem that they’ve designed and coded themselves into. They've come to this realization through a combination of penetration testing performed by “reformed” hackers, Web application security testing tools like IBM/Watchfire and HP/SPI-Dynamics, and code review.

The good news is that the badness-ometer approach illuminates how the software problem applies to your own software. So the common myth that software security bugs and flaws apply only to open source code or to code written by others and surely not to yours, is profoundly debunked when within seconds an automated tool hacks your Website.

The problem with the badness-ometer approach to security is that recognizing you have a problem does not actually solve the problem. The result: a piling-up of huge numbers of security bugs and flaws that have yet to be fixed. The dam is likely to break in 2008, so it's time to eradicate some software defects and to learn how to stop making more of them.

A top-down framework approach follows the plan laid out in Chapter 10 of my book Software Security. The idea is simple – perform a gap analysis between where you are and where you want to be from a software security perspective. Then build a plan to address the gaps. Make sure to include software security best practices for software you build, assurance activities for the software you buy, a portal for software security guidance, and an enterprise-wide training program for developers and architects. (See Want Turns to Need.)

The framework approach works well in an organization with strong centralized IT leadership that has both the power and the budget to undertake a large-scale initiative. We’ve seen this approach work nicely in global financial services firms, even when the development organization has tens of thousands of developers spread over multiple continents.

The portfolio risk method takes a more business-oriented approach to the software security problem. The idea here is to assess the entire application portfolio according to some risk criteria agreed on in advance. The results of this risk survey help determine which kinds of security controls and activities should be applied in what order to what applications. Organizations that are set up with strong but stove-piped business units often benefit from this approach. When executive management understands software risks clearly (and what to do to mitigate them), good things usually follow.

The training first approach to software security is more grounded in the technical world. This approach helps developers who love to do the right thing but just don’t know what the right thing is when it comes to security. Having trained over 6,000 developers on software security, here are some pointers from us at Cigital: Make sure that trainers are actually software people (not security people with no software experience); use examples from the enterprise code base if possible; and include lots of hands-on exercises with real tools and techniques. Training is an essential part of any software security initiative, and sometimes it makes sense as a first step.

The lead with a tool approach, meanwhile, makes sense for an organization that has already purchased and attempted to roll out a security analysis tool. In many cases, QA departments are furnished with Web application security badness-ometers. Sometimes development organizations are mandated to use static analysis tools like Fortify, Ounce, or Coverity. After the dust clears, the real work of tool adoption begins. In our experience, writing custom rules (linked to corporate guidelines) for code review tools can be a very effective way of upping static-analysis tool adoption. Likewise, security testing training geared for QA is important for engendering an attacker’s perspective among professional testers who are used to focusing their attention on features and functions.

In the end, your organization may require some combination of the four paths to software security.

— Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.