Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

4/20/2007
07:00 AM
50%
50%

Want Turns to Need

Software security is no longer an emerging discipline, and here's why enterprises should care

Software security (also known as application security to some) is less than a decade old. In 1999 when I began to write "Building Secure Software" with John Viega, there were no books and only a few articles for software developers and architects interested in building in security. Lots of tomes and titles now fill the software security bookshelf.

Not surprisingly, software security is now considered a real subsector of computer security and is even tracked by analysts. The Yankee Group estimates that the entire market is worth between $250-275 million, numbers that jive with my own breakdown of the space.

As software security grows from a nice-to-have into a necessity, many companies are trying to determine how to get started. A quick look over the space can provide some answers.

Bigger Toolbox
Last year, the combined software security tools market earned between $90-$100 million. Most of this revenue was earned by black box testing tools, especially those tools created specifically for testing Web software. Black box testing tool vendors earned between $58-$70 million. The leader in the Web application security testing space is Watchfire, which earned close to $30 million last year. The other strong competitor, SPI Dynamics, earned just over $18 million. Lesser companies in the space including Cenzic, Codenomicon, and the like, earned another $10 million or so between them.

My view of black box testing tools, which I call "badness-ometers," is well known. In brief, badness-ometers are great for helping identify and highlight the software security problem -- just don't treat them as security meters. As such, I'm pleased that the market for these tools is robust, having doubled last year and continuing with similar growth into 2007. The best aspect of these tools is that they help companies and developers understand that their software is broken -- an essential activity in a new market like software security. Once this realization hits home, these companies are well positioned to take advantage of code analysis tools and other software security professional services.

If your company has yet to come to grips with software security, a black box testing tool may be just what the doctor ordered. On good days, these tools can find very serious problems with very little up front investment, and in many organizations, identifying the problem is often half the battle.

As badness-ometers continue to spread, they drive demand for solutions that do more than identify the problem. Source-code analysis tools speak to this demand. Last year, code scanners earned around $20 million (more than doubling the 2005 revenue). This market is dominated by Fortify, which earned 10 times more than its closest remaining competitor, Ounce Labs. (Fortify acquired some of the assets of Secure Software early this year.) Klokworks and Coverity, which sell closely related tools, tend to focus more on software quality than software security, so I don't count their revenue in this analysis.

Code scanning tools are often very reasonable places to start for development groups that want to tackle the software security problem, especially in shops that are code intensive.

Services Uptick
Tools like software security testing tools and source code analysis tools don't run themselves, nor do they provide a silver bullet for the software security problem. All told, the software security services market is worth anywhere from $80-$120 million. SPI-Dynamics and Watchfire's offerings are simple and powerful enough to be wielded by workaday testers and developers, but more complex tools work much more effectively when they are properly integrated into an organization.

Large consultancies such as IBM Global Services, Cybertrust, Symantec, and Ernst & Young focus their software security activities on application penetration testing services. Ultimately, these are badness-ometer services. In many cases, they rely on running and reporting the results of a Web application security testing tool.

Boutique consulting shops such as Foundstone and Cigital focus more attention on getting inside the code. These consultancies wield source code scanners, provide training, and also perform architectural risk analysis.

In 2006, services surrounding more complete software security initiatives at the enterprise level came into vogue. These large scale initiatives include training for thousands of developers, the creation of enterprise-specific knowledge and guidance, and the integration of software security best practices (which I call the touchpoints) into the software development lifecycle.

Overcoming Denial
Software security is quickly becoming a business necessity. As I described in last month's column, SOX and PCI compliance activities serve to help corporations better understand their software risk. (See Compliance As Kick-Starter.) Because the impact of software failure (maliciously caused or otherwise) is great, many corporations are already working diligently on software security.

There are many ways to get started. Those corporations serious about tackling the problem -- that is, those corporations with staggering amounts of software security risk -- take on a multi-year enterprise software security initiatives. Microsoft has made plenty of noise and progress with its Trustworthy Computing initiative. Other ISVs, including Oracle and Cisco, are rushing to catch up even as their customers begin to ask hard questions about product security. The financial vertical leads the pack among non-ISV corporations with large scale initiatives underway. The first step in any large initiative is creating a plan based on best practices. Such plans almost always include a heavy training component.

A large initiative may be too much to bite off at once, especially if your company has yet to come to grips with the business reality of the problem. In these cases, getting started with a simple badness-ometer tool is often helpful. These tools can produce eye-opening results of the "oh darn" variety, which in turn provide excellent ammunition to counter challengers who claim "our software is just fine."

Another alternative is hiring a security team to analyze a critical application. The deeper the analysis, the better the results will be; but even a quick and dirty penetration test can serve to get the ball rolling.

Training also makes a great starting point, especially if it is focused on developers and architects. The trick to successful software security training is to make sure that whoever develops and delivers it is a bona fide software person. Years of security of experience will not help without deep knowledge of C, C++, Java, and software architecture. Developers only listen to their own kind.

No matter what the route, there is no longer any excuse to put off software security. Customers are becoming aware of the problem, regulations demand real solutions, and the reactive network security hacks of the past consistently fail.

Computer security spent many years in a reactive stance, with vendors inventing and peddling band-aid solutions like firewalls, antivirus tools, and intrusion detection engines. Only recently has the stark reality of security begun to sink in. We have no alternative but to build security into the software that we depend on to run the modern world.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

  • Cenzic
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Codenomicon Ltd.
  • Coverity Inc.
  • Cybertrust
  • Ernst & Young International
  • Fortify Software Inc.
  • IBM Global Services
  • Microsoft Corp. (Nasdaq: MSFT)
  • Oracle Corp. (Nasdaq: ORCL)
  • Ounce Labs
  • SPI Dynamics
  • Secure Software Inc.
  • Symantec Corp. (Nasdaq: SYMC)
  • Watchfire Corp.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Greater Focus on Privacy Pays Off for Firms
    Robert Lemos, Contributing Writer,  1/27/2020
    Average Ransomware Payments More Than Doubled in Q4 2019
    Jai Vijayan, Contributing Writer,  1/27/2020
    For Mismanaged SOCs, The Price Is Not Right
    Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    IT 2020: A Look Ahead
    Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
    Flash Poll
    How Enterprises are Attacking the Cybersecurity Problem
    How Enterprises are Attacking the Cybersecurity Problem
    Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-2099
    PUBLISHED: 2020-01-29
    Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating ...
    CVE-2020-2100
    PUBLISHED: 2020-01-29
    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.
    CVE-2020-2101
    PUBLISHED: 2020-01-29
    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
    CVE-2020-2102
    PUBLISHED: 2020-01-29
    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.
    CVE-2020-2103
    PUBLISHED: 2020-01-29
    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.