Slow ImplementationBy Ericka Chickowski | Posted 2008-10-30 Email Print
Many security insiders believe that the only way organizations will be able to effectively meet the onslaught of attacks against Web and other home-spun applications is to implement secure coding practices from the ground up.
Unfortunately, it isn’t just a matter of spending money and rolling out a nifty new tool. It takes a thoughtful overhaul of procedures and practices to better design and verify code through the development lifecycle.
“Clearly, you need some sort of a governance process on top of it all,” Fortify’s Chess says, “to make sure that the right people are talking to each other and that they are coordinating appropriately, because this cuts across the organization.”
However, implementing a governance plan can take time.
“We don’t see anybody changing overnight,” says Greg Hanchin, principal at DirecSec, a value-added reseller that specializes in security. “You can’t just go in and establish a secure coding process around five or 10 years of code.
“Here’s what you can do: Under the hamster wheel of people, process and technologies, you can attempt to bring technology in and get your people and processes around that mission of making software better incrementally. It probably takes a couple of years in the development cycle process to actually make a meaningful change.”
In the meantime, there is at least one shortcut organizations can take to reduce their exposure.
“I recommend starting with some modern development frameworks,” WhiteHat’s Grossman says. “A lot of time, the security is already baked into new frameworks like .NET and J2EE [Java 2 Platform, Enterprise Edition]. If you use them properly, you can develop code really, really quickly—code that also happens to be secure.”
“Too often, security is bolted on at the end of the software lifecycle as a response to a threat or after an exposure,” warns Howard Schmidt, president of the Information Security Forum and a board member of (ISC)2, a not-for-profit global firm that educates and certifies information security professionals. “New applications that lack basic security controls are being developed every day, and thousands of existing vulnerabilities are being ignored.”
(ISC)2 is determined to do something about this situation. It recently announced a new certification, the Certified Secure Software Lifecycle Professional (CSSLP), to “validate secure software development practices and expertise.” The goal is to establish best practices and validate a professional’s competency in addressing security issues throughout the software lifecycle.
The CSSLP is code-language-neutral and is applicable to anyone involved in the software lifecycle, such as analysts, developers, software engineers and architects, project managers, software quality assurance testers and programmers. Areas covered by the exam include lifecycle vulnerabilities, risk, information security fundamentals and compliance.
“The CSSLP ensures that people—our first line of defense in this war—have the tools and knowledge to implement and enforce security throughout the software lifecycle,” says W. Hord Tipton, executive director for (ISC)2.