Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2012
03:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Fidelity Invests In Secure Software Development

No code goes live at financial services firm until it has been fully vetted

Microsoft got the ball rolling on secure software development for the commercial world, and now many of the world’s largest enterprises are picking it up and running with it, forcing many software vendors to catch up or lose the game. Fidelity Investments is one of those businesses that literally programmed secure software development into its business strategy.

Fidelity is a participant in the Building Security In Maturity Model (BSIMM) program, an ongoing, in-depth study of real-world enterprises' software security initiatives that its founders say can be used as a real-live security measurement tool. BSIMM, which was launched by Cigital, now encompasses 51 companies across financial services, ISVs, technology, and other industries.

David Smith, vice president of application security for Fidelity, says the company actually began secure coding practices in 1997. "We started secure code review when we first started putting Web apps online many years ago," Smith says. "It's always been a challenge ... are you making the right priority decisions?"

[Input validation and prepared SQL statements crucial to preventing SQL injection attacks. See The Root Of All Database Security Evils = Input.]

Smith says when Cigital approached Fidelity in 2008 to recruit the financial services firm for the very first BSIMM survey, it gave the company an opportunity to not only share its experiences and practices, but also to see how it stacked up with other companies in secure coding. "We were surprised that we had so much more in common [with other firms] than differences. It did confirm that what we were doing was in line with the industry’s best, and we could also see opportunities to improve," Smith says. "And now we could use those results to help justify some of our [project requests] and to realign resources."

Among the adjustments Fidelity has made in the wake of BSIMM: ratcheting up its security testing and architecture, Smith says. "We did focus some attention in the areas of Security Testing and Security Architecture, based on how we originally scored on the BSIMM survey, and leveraged what other leaders were doing in this space as reference. I believe we now have one of the best-of-breed solutions in both of those important practices," he says.

Businesses are starting to pressure software vendors into supplying them with more secure code as their own in-house secure development programs mature. New data from Veracode found that the number of vendors getting their applications security-tested grew nearly 50 percent during that 18-month period, much of which was prompted by prospective or existing customers requiring it.

As a matter of fact, big enterprises are starting to mentor smaller independent software vendors on secure coding, says Sammy Migues, a principal at Cigital who works on the BSIMM. "We hear anecdotally that a lot of firms feel or claim or have numbers to back up that there are more bugs in others' code than in their own code," Migues says.

Fidelity uses penetration testing and static-code analysis tools to vet its software code. And Smith says his company has seen fewer vulnerabilities in its code. "We do measure the number of vulnerabilities per thousand lines of code. I can't give you the exact number, but we've seen that metric greatly improving," he says.

Key to that improvement has been security training of its developers, he says, as well as automating secure development procedures. Fidelity also has buy-in from the top levels of management: "Our culture takes security very seriously, and we have a lot of support from executive management," Smith says. "We require that all of our code gets secure code reviewed prior to adoption. When we find security issues ... those findings get CIO attention," he says. "And CIOs review on a monthly basis with the CISO the status of all the applications." But Smith notes that recruiting security-minded developers remains difficult. "The academic environment is still not producing enough adequately trained secure developers. So with newly hired developers we have assumed the role of training them how to develop more securely," he says.

Despite the regular flow of bugs and breaches, software overall is getting cleaner and more secure, experts say. But the volume of code is increasing, too.

"We are in face getting better at software security. That's what's subtly happening. The defect density ratio is going down: There are fewer bugs per square inch," says Gary McGraw, CTO of Cigital and one of the founders of BSIMM. "We are still building lots more software, so we have way more square miles of code than ever before."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
macker490
50%
50%
macker490,
User Rank: Ninja
11/16/2012 | 4:52:05 PM
re: Fidelity Invests In Secure Software Development
they will need to do 1 more thing: provide a "Live CD" e.g. Linux/Ubuntu or Chromebook so the user can work from a KNOWN software inventory.

it is essential to secure BOTH ends of the link.

remember: most hacks are from the ENDPOINT,-- using the Endpoint's credentials effected by the use of un-authoriozed program changes into the victim machine.
Don4
50%
50%
Don4,
User Rank: Apprentice
11/17/2012 | 2:54:03 PM
re: Fidelity Invests In Secure Software Development
Adobe is another participant of Cigital's BSIMM.- The benefits appear to be minimal: http://www.darkreading.com/sec...
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.