From the Editors: Programmers against sloppy security

By SD Times News Team

April 1, 2009 —

No honest software developer sets out to write insecure software. Every architect, every programmer, every tester sincerely believes that the code is solid, bug-free and safe.

Yet, of course, we know better, because systems and applications are not secure. Sometimes the architect’s design is flawed. Sometimes the programmer makes assumptions that prove to be false, or forgets to check a buffer or return value. Sometimes a typo creates a vulnerability. Sometimes the testers fail to imagine the creativity of an attack. And sometimes the vulnerability is caused by a dependency that nobody understood.

Consultants and security tools providers, like the well-meaning experts at Cigital and Fortify, are right to continue focusing on this issue. They’re right to offer training and products that can help architects design more secure software, help programmers write more secure software, and help testers spot vulnerabilities that the architects and programmers missed.

To the array of security-awareness tools, we now have the new Building Security In Maturity Model. This initiative has two goals: one spoken, one understood. The spoken goal is to raise awareness. The unspoken goal, of course, is to raise those companies’ visibility and get them more clients and software sales.

The “Building Security In” phrase, in particular, is one that Cigital CEO Gary McGraw has used as a book title and as the topic of numerous lectures and keynotes. It’s a good message, one that needs to be heard.

There are two basic approaches to software security. One is to get software developers to write and deploy more secure software. That’s a never-ending battle, akin to preventing automobile accidents by getting drivers to be more careful. Education can help, but just as no amount of driver’s ed will prevent cars from smashing into each other, no amount of developer training will eradicate all software security defects.

The second approach is to count on tools to protect us from the effects of insecure software. That’s where enterprise IT tends to focus, as it keeps on buying more firewalls, a spam filter, a virus scanner or a source-code analyzer. That too is a never-ending battle, similar to buying cars with more and more airbags, anti-lock brakes, traction control systems, lane-change warnings, backup cameras and so on. These IT security products surely help, but there’s no way they will catch everything that sloppy programmers and malicious hackers toss at the data center.

So, yes, we support every effort keep awareness high. Think of Cigital and Fortify as key players in the “Programmers Against Sloppy Security” movement (analogous to Mothers Against Drunk Driving), as they keep us focused on a crisis that, sadly, we never see going away. We need all the reminders we can get.

Buzzword-driven development
Model-driven development. Test-driven development. Database-driven development. Now there’s Domain-Driven Development (and, with a wink, Faith-Based Development. Are we living in an age of buzzword-driven development? What do all these methodologies mean? Don’t they conflict with each other?

Without sparking a religious war, it’s our belief that many software development organizations tend to follow the methodology that’s preached by their most recent consultant—or the keynote speaker at the conference that their manager just attended.

The reality is that many of these methodologies only appear to be different, and when you dive deeper, you find that they can all lead you to the Promised Land. It is very much like the story about the blind men examining an elephant: The same animal looks very different if you’re touching the wrinkled trunk, the fast-moving tail, the big floppy ears or the smooth tusks.

When a development team looks at a project, it helps to have a perspective, something to focus on. Should you focus on the model? Should you focus on the test harness? Should you focus on the database? Should you focus on the vocabulary used by the stakeholders? The answer is: “Yes.” All of these are important. So, pick the focus that seems right to you (or to your consultant, or to your boss’ keynote speaker). The important thing is to all focus on the same thing… and then get the job done.

Related Search Term(s): editorials, security

Share this link: http://www.sdtimes.com/link/33366

RSA keynote: Lack of security in the cloud breeds distrust Experts say that until cloud security standards mature and are adopted more widely, adoption will be tepid

Fortify, HP give hybrid view of app security By correlating results of dynamic testing and static code analysis, Hybrid 2.0 offers improved vulnerability resolution

Application security, IBM style Jack Danahy, founder of Ounce Labs, discusses acquisitions by IBM and what he sees in the security space

Comments

04/01/2009 02:11:12 PM EST

It's not just education vs. tools. There's a third option. We need to make it easier for developers to do the right thing. How about arming all developers with set of good security controls? For the most part developers have to write all their own security controls, virtually guaranteeing vulnerabilities. Check out the OWASP ESAPI project - our mission is to ensure that all developers in every environment have a set of strong and easy to use security controls. Until we do that, it's just another hamster-wheel-of-pain.

United StatesJeff Williams

04/01/2009 03:18:59 PM EST

Good points. Security is an enterprise issue and not to be borne on the shoulders of the development community only. A key initiative for 2009 is for organizations to “do” something to further protect assets and their brands. - Jennifer Sullivan - CMO, Ounce Labs

United StatesJennifer Sullivan

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST