Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/6/2021
01:00 PM
Jeff Williams
Jeff Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

It's High Time for a Security Scoring System for Applications and Open Source Libraries

A benchmarking system would help buyers choose more secure software products and, more importantly, light a fire underneath software producers to make products secure.

Prompted in part by devastating attacks such as those on SolarWinds Orion, Microsoft Exchange, and Colonial Pipeline, the White House issued an executive order on cybersecurity in May. Application security is a prominent part of the document, with special emphasis on software supply chain security for all applications used by the federal government.

Related Content:

4 Habits of Highly Effective Security Operators

Special Report: Building the SOC of the Future

New From The Edge: rMTD: A Deception Method That Throws Attackers Off Their Game

The administration's emphasis on software supply chains is welcome considering the current threat environment. SolarWinds customers, for example, had no control over the integrity of that company's software and no way of knowing there would be a problem with a particular software update. SolarWinds Orion was simply off-the-shelf software they had purchased. In fact, affected SolarWinds customers were doing the right thing by installing updates quickly.

A Possible Software Security Scoring System
Although the regulations needed to implement the executive order have not yet been issued, one possible way of benchmarking compliance would be a rating system for software security. The Cyberspace Solarium Commission (CSC), which was formed in 2019 to develop a consensus on a strategic approach to defending the United States against cyberattacks, recommended in its 2020 report a voluntary system — similar to the Energy Star ratings on US appliances and Singapore's rating system for Internet of Things (IoT) devices. Others are pushing to make it mandatory.

Some observers have advocated for a scoring system for software for more than a decade. A public software security label with an easy-to-understand, easy-to-calculate overall score and supporting details is the key. Some consumers will use the label to choose more secure software products, but more importantly, such a labeling scheme will motivate software companies to improve their public scores by investing in robust application security for their products.

What Should a Scoring System Look Like?
While a software scoring system could take different forms, one requisite aspect is the need to take the entire software supply chain into account. Software providers need to know the security ratings of their applications' component parts — the open source libraries that are so ubiquitous in software these days. This is because upwards of 90% of applications contain code from third-party libraries. Once a piece of off-the-shelf software is taken to market, the users of that software need a single, overall security score that accounts for the component parts.

It is infeasible to come up with a perfect instrument to measure every aspect of security for every type of software possible. But it is possible to create a framework that (1) empowers software buyers to make more informed decisions, and (2) encourages producers to build better software with more security visibility.

Below is a conceptual model to help imagine how such a scoring system might work. Software is simply evaluated against six key security areas and assigned a grade. As you can see, things are haphazard or nonexistent at the bottom, while those at the top are continuous, automated, standardized, and comprehensive.

(Source: Contrast Security)
(Source: Contrast Security)

Based on an application's score in each of these categories, an overall letter grade could be assigned that would be visible on product webpages, marketing materials, and physical packaging. Based on this easy-to-understand letter grade, organizations and consumers choosing between two different software solutions could take security into account when they make their decision.

Every software user should be able to see letter grades (A, B, C, D, F) for their applications and open source libraries in real time, along with notifications when those scores change. The same system should provide actionable information to developers on the best way to improve an application's overall score. This would provide a unified platform of tools that ensures security across the entire software development life cycle — during build, test, and run.

Software Scoring: Enabling Informed Decision-Making
A software scoring system would improve national security by enabling organizations, such as the federal agencies recently victimized by the SolarWinds attack, to make informed decisions. It will also light a fire underneath software producers to take the needed steps to make their products secure.

 

Jeff brings more than 20 years of security leadership experience as Co-Founder and Chief Technology Officer of Contrast. Previously, Jeff was Co-Founder and Chief Executive Officer of Aspect Security, a successful and innovative application security consulting company ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41393
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
CVE-2021-41394
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.
CVE-2021-41395
PUBLISHED: 2021-09-18
Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.
CVE-2021-3806
PUBLISHED: 2021-09-18
A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.
CVE-2021-41392
PUBLISHED: 2021-09-17
static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.