Slipping In The Side Door With App Security Message

By Jennifer deJong

August 15, 2006 —

In the beginning, the strategy seemed obvious. Show development managers how the code their teams write can be compromised, and they will buy application security tools designed to help prevent the problem.

But, according to application security tool makers, things haven’t turned out that way. Convincing development managers to adopt the source-code analyzers and black-box testing tools they sell has proved difficult, the tool makers acknowledged.

“It was naive to think developers would take up application security on their own,” said Roger Thornton, founder and chief technology officer for Palo Alto, Calif.-based Fortify Software. They are already under a lot of pressure, he said. “Everyone is asking them for more features, faster.”

Getting developers to adopt security tools is a tricky thing, added Mike Weider, founder and chief technology officer for Waltham, Mass.-based Watchfire. They are accustomed to writing code and handing it off to QA, he said. “They don’t see testing as part of their role, and using the tools slows them down.”

What’s more, the popular sales tactic of analyzing developers’ code and identifying where and why the application is vulnerable to attack didn’t exactly win developers over, noted Caleb Sima, founder and chief technology officer for Atlanta-based SPI Dynamics. “When you come along with a tool that shows developers what they did wrong, that’s a frustrating experience,” he said, which led many developers to rebel. “The developers said, ‘I don’t want you pointing out more problems for me. Just let me do my job.’”

Getting the Message
In spite of these hurdles, application security tools are making their way to developers’ desktops, albeit by a more circuitous route.

Source-code analyzers, which scan code against a database of known vulnerabilities, and black-box testing offerings, which find security holes by attacking an application in much the same way a hacker might, are typically driven into development by the security professionals, according to the tool makers. Charged with carrying out mandates from top management, security professionals are setting policies that require development teams to adopt the tools, they said.

Until recently, security professionals were concerned largely with network-level security, which meant implementing firewalls and intrusion detection systems. But the importance of addressing security at the application level has made its way onto their radar screens, said Sima. “They know the firewall is not enough,” he said. “The message has gotten through.”

Now that companies recognize the problem, “we have moved beyond missionary selling,” added Watchfire’s Weider.

It is hard to say to what extent the tools are selling, as research firms have not estimated the size of the application security market alone. But an IDC report published in December 2005—“Worldwide Security and Vulnerability Management Software 2005–2009 Forecast and Analysis: Taking Control of the Security Environment”—projects that the overall security market, which also includes network security and security management tools, will grow to more than US$3 billion by 2009. The report noted that software security vulnerability products geared to developers and QA professionals are growing in popularity.

Market projections aside, development teams are only just beginning to grasp the implications of building security into the application development process. “They are asking, ‘How do I build application security into the fabric of my company?’” said Kevin Kernan, CEO for McClean, Va.-based Secure Software.

Given the cultural changes that adopting an application security strategy entails, the answer to that question is still evolving. But a few key things are clear, the tool makers said. To develop applications robust enough to withstand Web attacks, companies must address security in every phase of development, beginning with requirements. Also essential is employing a dual approach that includes both white-box and black-box testing tools. Both offerings should be tied to the IDE in which the developer works, and they should strike a balance between offering enough information to be useful, but not so much that they slow developers down, said Nick Allen, director of marketing for Burlington, Mass.-based Klocwork. “You don’t want to overwhelm developers with too much information.” It’s best to give them some latitude, letting them specify, for example: “Show me only the most critical vulnerabilities,” he said.

White Box, Black Box
Source-code analyzers, also known as white-box security tools, scan source code looking for well-known vulnerabilities that hackers could exploit with attacks such as SQL injections, or cross-site scripting errors. White-box tools let developers see the actual source code, said Secure Software’s Kernan. “They walk you through it, showing you the tree structure behind the flaws you have discovered,” he said. “Here’s where the [vulnerability] originated; here’s how to fix it.”

By contrast, black-box offerings, also known as penetration testing tools, offer no such window into the application. They simulate the behavior of a hacker in order to identify where the vulnerabilities lie. “They don’t offer any contextual information,” said Kernan. “You can’t see the inside [the black box].”

But both approaches play a role, he said. White-box tools let developers analyze code as they work, while black-box tools are deployed during testing. “You want to be comprehensive and accurate,” added SPI Dynamics’ Sima. Combining the two technologies is the best way to do that, he said.

If secure coding efforts are to succeed, development managers need to start thinking about application security long before a line of code gets written. One meaningful way to do that is to create requirements use cases that specify “what you don’t want the system to do, not just what you want it do,” said IBM Rational program director Ashok Reddy. For example, a use case could enable a buffer overflow, a commonplace programming error that can result in a security breach, he said.

IBM does not provide white-box or black-box security tools, but offerings from partners, including SPI Dynamics, and San Francisco-based Coverity, plug into the Rational Software Development Platform, said Reddy.

Focusing on security issues in requirements is key to helping development teams address security from the get-go and throughout the application life cycle, the tool makers said. That’s an entirely new mindset for most companies, noted Watchfire’s Weider. “Security was something you [worried about] retroactively, after the fact.”

Even though development managers are responsible for addressing security concerns throughout the application life cycle, they do not bear the burden alone, said Fortify’s Thornton. The work is done by development teams, but security professionals, who drove application security tool adoption in the first place, are responsible for the final sign-off.

“I have looked at your code, and it’s fine. You are no longer accountable. I am,” said Thornton, assuming the role of the security professional. “For me, as a developer, that is how I would want it.”

Share this link: http://www.sdtimes.com/link/29488

Product aims to fix security flaws during app creation Parasoft is making it easier for developers to spot and fix security vulnerabilities that aren't usually caught until after the application is built. Its Application Security Solutions product was released today.

RSA keynote: Lack of security in the cloud breeds distrust Experts say that until cloud security standards mature and are adopted more widely, adoption will be tepid

Fortify, HP give hybrid view of app security By correlating results of dynamic testing and static code analysis, Hybrid 2.0 offers improved vulnerability resolution

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST