The Rocky Road To More Secure Code

Secure application development initiatives are all the rage now, but will developers get 'religion'?
Scott says models like BSIMM and OpenSAMM are a good start for organizations that want to change. "It's a maturity model, which isn't necessarily prescriptive tactical advice on what to do," Scott says. "Secure application development needs a supportive process and organizational structure behind it. That's what the two maturity models help outline."

Tactical advice on how to do this has been available for some time, he says, such as the OWASP Top 10, 19 Sins of Software Security, SAFECode, and other projects. "I think a security-aware program manager could take pieces from the maturity model to show senior management where gaps may exist in their software assurance program. It is important to put a stake in the ground," Scott says.

ABN AMRO is using the maturity models to measure its own efforts to see where it can improve, Scott says. "They are excellent conversation starters,"

DTCC, meanwhile, has its own guidelines for off-the-shelf software purchases, as well as for its internal development team, which numbers around 450 in the U.S. and another 200 overseas. "We took a longer-term focus -- our accountability model takes vulnerability information and assigns it to an owner/team leader or developer," DTCC's Scott says. "The same vulnerability information [about code] goes to the developer or the team leader's boss." The next level, he adds, is the CIO, who gets a summary of the vulnerability information, he says.

This multilevel approach allows DTCC to drill down to a flaw in a specific line of code, as well as to track the remediation of it during a development project, he says. The firm also has designated "security mavens," or developers who specialize in security and are regularly training and meeting about security issues. "The model works," Routh says. "And we have quite a bit of scar tissue [from building it]," he says.

But big financial firms with these application programs under way, like ABN AMRO and DTCC, are the exception. Most internal developers are still getting their sea legs when it comes to setting up a program for writing and running more secure software, while progress is being made in the big commercial software firms, security experts say. Steve Christey, principal information security engineer for Mitre, who also works on the Common Vulnerability and Exposures (CVE) program, says CVE data shows vulnerabilities in major software products, such as those from Microsoft, are becoming less rampant.

"Vulnerabilities in products from major vendors like Microsoft still get announced every month. But it's often very difficult to detect [these vulnerabilities], and they require a large amount of time and investment from the people who discover them. That's one way to measure that software is becoming more secure: It's taking longer to find significant vulnerabilities in software."

Christey says the good news is these more obscure bugs are more difficult to detect and, therefore, more difficult and expensive to exploit . The bad news is that has put the bull's eye on third-party applications, especially in the Web 2.0 space: "Web 2.0 doesn't have a culture of security from the moment of conception of an idea all the way to deployment," he says. "Software assurance needs to be a holistic approach that crosses all phases of development. But many of the third-party developers have not gone down this road."

Meanwhile, programs like BSIMM are starting to attract attention outside the already-indoctrinated secure code development community. Gary McGraw, CTO at Cigital, says three more companies have asked to be added to the BSIMM model, and that the Financial Services Technology Consortium is backing BSIMM as a de facto standard for financial firms. Homeland Security is also interested in including BSIMM on its Build Security In program's Website. "BSIMM is not a recipe [for a software security project]. It's about building and measuring a software security initiative," McGraw says.

It's also a way to get executive buy-in for a secure coding program, says Brian Chess, chief scientist at Fortify. "There are a lot of things [here] that don't involve writing a line of code," he says.

So how should organizations use resources like BSIMM and OpenSAMM? "You have to figure out what is the motivating factor and perspective behind each model/initiative to make sure it is applicable to your enterprise. Microsoft's first SDLC is very much product-development-oriented. Their SDL Optimization model is less so, but still aimed more at development than assurance," ABN Amro's Scott says. And DHS is a government assurance model, he says.

"BSIMM is a best practices maturity model derived from one product company and one services company with a 'sanity-check' poll of nine large enterprises, and OpenSAMM uses a community-led approach of best practices and individual contributions," Scott says. Organizations just have to pick and choose among these programs with what best fits their requirements, he says.

Cigital's McGraw, meanwhile, says BSIMM is no proprietary model, but rather an open model with "unrestricted use."

Even if the multiple and sometimes-overlapping secure software programs cause a little confusion initially, it's worth the exposure, security experts say. "Given how little information there was on this 10 years ago, we welcome this embarrassment of riches," Mitre's Christey says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.