The Rocky Road To More Secure Code

Homeland Security's Build Security In, Microsoft's Software Development Lifecycle (SDLC), BSIMM, and now OpenSAMM: Secure application development programs are spreading amid calls for more secure code.

The practice of writing applications from the ground up with security in mind remains in its infancy, even with software giant Microsoft leading the charge by sharing its internal Software Development Lifecycle framework in the form of free models and tools for third-party application developers and customers in the spirit of promoting more secure software. Now financial services firms are comparing notes and sharing their secure coding strategies and experiences in the new Building Security In Maturity Model (BSIMM) program spearheaded by Cigital and Fortify Software.

But in a recession fraught with shrinking budgets, it's unclear whether companies can afford to invest in secure development initiatives. In an as-yet unpublished survey by Forrester Research and Veracode, 45 percent of organizations said that application security is a significant part of their overall security strategy, but that they will likely be scaling back those initiatives in their next budget cycle. Around 18 percent of these organizations said their funding for app security will remain intact.

Funding is just one of the wild cards. Retooling application development also often requires a big cultural shift. While efforts like BSIMM and OpenSAMM have raised the profile of secure code-writing, security experts say, widespread deployment of such efforts within enterprises won't be easy.

"It's a good thing for the marketplace, this heightened security awareness [in application development]. But how do you implement it? It's like the early days of network vulnerability scanning -- there's so much output that you need a security expert to implement it," says Matt Moynahan, CEO of Veracode. "It's a difficult problem to solve."

BSIMM provides benchmarks for establishing an organizationwide software security program, based on real-world security software initiatives at the likes of financial firms Wells Fargo and Depository Trust & Clearing Corp. (DTCC), as well as Adobe, EMC, Google, Microsoft, and Qualcomm, and input from Cigital and Fortify. Jim Routh, CISO for DTCC, says his firm's internal secure development initiative saves the firm money labor and other costs. "This savings is reallocated to higher-value activities," Routh says. "Our controls identify defects or vulnerabilities early in the [development] life cycle."

But Veracode's Moynahan, whose company provides application security testing services, says BSIMM alone isn't enough. "What needs to happen is that appsec secure coding has to find a way into the mass market. The recommendations are a good set of guiding principles," he says. But for organizations with no knowledge of security, limited funds, or a small start-up, will they really go implement these best practices?

Another similar initiative, OpenSAMM (Software Assurance Maturity Model) launched last week, boasts an open-source model aimed at becoming an industry standard for secure software development. Led by OWASP member Pravir Chandra, OpenSAMM was initially funded by Fortify, which later helped develop BSIMM.

These models for building a secure app program, as well as DHS's Build Security In and others, also serve as a reality check that developing safer software takes more than scanning tools and penetration tests. "I think we are coming to the realization that application security requires a significant investment in all phases of the development life cycle, and while many organizations have been hoping that there was some 'silver bullet' for this problem, the publication of these maturity models show that it takes much more commitment," says Cory Scott, vice president of technical security assessment for ABN AMRO Bank.

NEXT: Off to a "good start" Scott says models like BSIMM and OpenSAMM are a good start for organizations that want to change. "It's a maturity model, which isn't necessarily prescriptive tactical advice on what to do," Scott says. "Secure application development needs a supportive process and organizational structure behind it. That's what the two maturity models help outline."

Tactical advice on how to do this has been available for some time, he says, such as the OWASP Top 10, 19 Sins of Software Security, SAFECode, and other projects. "I think a security-aware program manager could take pieces from the maturity model to show senior management where gaps may exist in their software assurance program. It is important to put a stake in the ground," Scott says.

ABN AMRO is using the maturity models to measure its own efforts to see where it can improve, Scott says. "They are excellent conversation starters,"

DTCC, meanwhile, has its own guidelines for off-the-shelf software purchases, as well as for its internal development team, which numbers around 450 in the U.S. and another 200 overseas. "We took a longer-term focus -- our accountability model takes vulnerability information and assigns it to an owner/team leader or developer," DTCC's Scott says. "The same vulnerability information [about code] goes to the developer or the team leader's boss." The next level, he adds, is the CIO, who gets a summary of the vulnerability information, he says.

This multilevel approach allows DTCC to drill down to a flaw in a specific line of code, as well as to track the remediation of it during a development project, he says. The firm also has designated "security mavens," or developers who specialize in security and are regularly training and meeting about security issues. "The model works," Routh says. "And we have quite a bit of scar tissue [from building it]," he says.

But big financial firms with these application programs under way, like ABN AMRO and DTCC, are the exception. Most internal developers are still getting their sea legs when it comes to setting up a program for writing and running more secure software, while progress is being made in the big commercial software firms, security experts say. Steve Christey, principal information security engineer for Mitre, who also works on the Common Vulnerability and Exposures (CVE) program, says CVE data shows vulnerabilities in major software products, such as those from Microsoft, are becoming less rampant.

"Vulnerabilities in products from major vendors like Microsoft still get announced every month. But it's often very difficult to detect [these vulnerabilities], and they require a large amount of time and investment from the people who discover them. That's one way to measure that software is becoming more secure: It's taking longer to find significant vulnerabilities in software."

Christey says the good news is these more obscure bugs are more difficult to detect and, therefore, more difficult and expensive to exploit . The bad news is that has put the bull's eye on third-party applications, especially in the Web 2.0 space: "Web 2.0 doesn't have a culture of security from the moment of conception of an idea all the way to deployment," he says. "Software assurance needs to be a holistic approach that crosses all phases of development. But many of the third-party developers have not gone down this road."

Meanwhile, programs like BSIMM are starting to attract attention outside the already-indoctrinated secure code development community. Gary McGraw, CTO at Cigital, says three more companies have asked to be added to the BSIMM model, and that the Financial Services Technology Consortium is backing BSIMM as a de facto standard for financial firms. Homeland Security is also interested in including BSIMM on its Build Security In program's Website. "BSIMM is not a recipe [for a software security project]. It's about building and measuring a software security initiative," McGraw says.

It's also a way to get executive buy-in for a secure coding program, says Brian Chess, chief scientist at Fortify. "There are a lot of things [here] that don't involve writing a line of code," he says.

So how should organizations use resources like BSIMM and OpenSAMM? "You have to figure out what is the motivating factor and perspective behind each model/initiative to make sure it is applicable to your enterprise. Microsoft's first SDLC is very much product-development-oriented. Their SDL Optimization model is less so, but still aimed more at development than assurance," ABN Amro's Scott says. And DHS is a government assurance model, he says.

"BSIMM is a best practices maturity model derived from one product company and one services company with a 'sanity-check' poll of nine large enterprises, and OpenSAMM uses a community-led approach of best practices and individual contributions," Scott says. Organizations just have to pick and choose among these programs with what best fits their requirements, he says.

Cigital's McGraw, meanwhile, says BSIMM is no proprietary model, but rather an open model with "unrestricted use."

Even if the multiple and sometimes-overlapping secure software programs cause a little confusion initially, it's worth the exposure, security experts say. "Given how little information there was on this 10 years ago, we welcome this embarrassment of riches," Mitre's Christey says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.