Major software makers fail security transparency test

By David Worthington

April 24, 2009 —

A majority of the industry's leading software makers surveyed by SD Times lack transparency about the internal principles that they use for writing secure software. Analysts believe that those companies are either practicing security by obscurity, do not adequately perform security practices during software development, or are simply unwilling to talk about it.

In March, we threw down the gauntlet and challenged leading software companies and organizations to show us what they are doing to write secure software. Not one of the 23 companies and organizations that we listed responded, and in a follow-up in April, only four provided us with answers.

The question was inspired by the publication of Microsoft's Security Development Lifecycle software security assurance process in 2004, as well as the company's subsequent steps to share that blueprint with developers within enterprises or third-party application firms.

Microsoft does not ship software unless it has been put through the SDL process, and it credits the process for markedly reducing security vulnerabilities in its products.

Adobe, Amazon.com, the Apache Software Foundation, Apple, CollabNet, the Eclipse Foundation, the Free Software Foundation, IBM, Intel, the Linux Foundation, Oracle, Red Hat, Software AG, Sun Microsystems, Sybase, VMware and Yahoo did not respond to our inquiry. Nokia and Salesforce.com acknowledged the request but were unable to provide comment by deadline.

"There is such a disconnect between security experts and application development professionals that they probably lack the ability to respond in a coherent manner," said Mike Gualtieri, a senior analyst with Forrester Research.

"Security at many firms is done after the software development life cycle. Also, they probably don't want to reveal their app dev security process because it could be sub-par to where it should be and encourage hackers to attack, attack, attack."

Google has published a security resource on its Security and Privacy page for Google Apps. That resource includes a white paper that provides information about Google's general organizational and operational security practices to customers, partners and users, said spokesperson Jay Nancarrow.

Hewlett-Packard developed an automated method for threat modeling and security requirements, and it has applied that to its products for the past three to four years, said Caleb Sima, CTO of HP's Application Security Center.

"This eliminates a huge amount of security vulnerabilities very early in the cycle, and [it] is the first that I have seen that has been automated to a point where a security expert is not needed to do the analysis," he added. "It also does traceability of each security requirement to the line of multiple compliance areas such as PCI."

Novell has published a security development life cycle for its Linux-based products, said spokesperson Ian Bruce.

TIBCO Software follows a mature Product Lifecycle Management (PLC) process for product specification, development and life-cycle sustenance, according to Don Adams, vice president and chief security officer for worldwide government at TIBCO. The security and trustworthiness guidelines posed by the PLC reflect the sensitive nature of the information that TIBCO's customers transact in electronic trading systems, global commerce and many of the world's government secrets, he said.

"TIBCO engineering deepened this commitment to trustworthy development processes when they undertook their first Common Criteria evaluation," Adams added. Common Criteria evaluation is a program established by the U.S. National Security Agency to measure the security of commercial software products.

Many companies may have a reasonable technical story to tell about how they approach security, but many feel that the less said the better, said Rex Black, president of Rex Black Consulting Services. "In other words, they perhaps don't want their name featured in an article about security problems, no matter how it's mentioned."

Other companies aren't actually doing anything about security at a unified, company-wide level, he said. "Some individuals and project teams do things well from a quality and security point of view, but others do little if anything." These companies do not want to look disorganized or unconcerned about security, he added, "and neither is a good way to look at this point."

Some companies could be painted in a more flattering light, but they could have a policy not to discuss what they do for security, "so as not to enable hackers to figure out how to attack their products through analysis of their technique," Black said. However, he noted that few security experts have anything good to say about the practice of security by obscurity.

Related Search Term(s): security

Share this link: http://www.sdtimes.com/link/33432

RSA keynote: Lack of security in the cloud breeds distrust Experts say that until cloud security standards mature and are adopted more widely, adoption will be tepid

Fortify, HP give hybrid view of app security By correlating results of dynamic testing and static code analysis, Hybrid 2.0 offers improved vulnerability resolution

Application security, IBM style Jack Danahy, founder of Ounce Labs, discusses acquisitions by IBM and what he sees in the security space

Comments

04/24/2009 06:24:36 PM EST

Do you really believe The Linux Foundation is practicing security through obscurity or any other Open Source project/company?

United StatesRichard Chapman

05/20/2009 05:10:53 PM EST

@Richard I don't buy that argument that 'more eyes' automatically means more security. The requirements that go into developing the software, and the tools that are used matter regardless of the methodology.

United StatesDavid Worthington

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST