CAMBRIDGE, MASS. -- The software development life cycle (SDLC) has a gaping hole in it: application security. As networks have become more secure, attacks against applications have greatly increased, and many professionals don't know how to incorporate security into their SDLC.
What we are doing right now is not working, Ryan Berg warned his audience at the Software Testing and Performance conference last week in Cambridge, Mass. Berg, Chief Scientist at Ounce Labs, offered frank, practical advice to his listeners on integrating security into their SDLC processes.Software vulnerabilities on the rise
New, reported software vulnerabilities are steadily increasing, from just 417 in 1999 to nearly 6,000 in 2005. The reason for that, says Berg, is "because we must increasingly provide access to our applications and data via the Internet." And malicious users can easily find vulnerabilities using Google and other tools.
To stem the tide, organizations "need to become proactive instead of reactive when it comes to security," he said. "There needs to be a shift from the 'prove to me that my application is exploitable' mentality to one which embraces defense in depth."
With pressure to create innovative, complicated applications rather than secure ones, it's hardly surprising that software vulnerabilities are increasing.All about the applications
"It used to be all about the network," Berg said, "now it's all about the applications." Many in the IT industry have heard this before, but it may need to be repeated another three or four thousand times before organizations begin churning out applications that are secure from the start, he said.
"IT in many cases is still focused on perimeter security, and more recently on authentication and authorization ... because these are things over which they traditionally had control," Berg said.
Many IT professionals want to secure their applications, but they haven't done so because they don't know how. Unlike network security, application security lacks a playbook to which professionals can refer. Application security requires a rethinking of the security problem, he said.
Berg notes that "more sophisticated IT organizations are using penetration testing, but this is often too late."
There is also more pressure on the industry to pay attention to application security. With at least 70% to 80% of Web sites sporting a serious vulnerability, insecure applications are making headlines. (See sidebar.)
More than avoiding negative press, organizations need to worry about government regulations. Sarbanes-Oxley, CISP-PCI, HIPAA and ISO 17799 are just a few of the regulations affecting application security.A new approach
Application security needs improvement, Berg stressed. And that will require the cooperation of many people within an organization. "Addressing the security of applications is as much an organizational shift as it is a technical one," he said.
"We as an industry need to recognize that this is not a developer problem," noted Berg. Too much of the responsibility for security is laid at the feet of developers, and too little information is given to developers to aid them. "You can't blame developers for what was done insecurely if you don't give them the knowledge and tools to do it securely in the first place," he said.
"A concentrated effort to define a set of core coding best practices that are communicated, implemented, and then tested against will have an immediate, significant impact on the security of projects in development," Berg added. "This is a development problem and requires a solution that expands the SDLC all the way back to requirements."
Development management, corporate security, audit and compliance, quality assurance and software development all need to work to secure applications, Berg said. Security must be baked into virtually every aspect of the design process, and it should be implemented as often as is practical.
If that sounds impossible, Berg offers some practical and applicable objectives for IT professionals. He urges improving upon existing development processes, not creating new ones. And using models as a base will make adoption easier. He emphasized three different models -- independent, distributed and centralized. Each model has its own advantages and disadvantages and organizations should carefully consider which one is most beneficial to them. For more on these models, including detailed diagrams, see Berg's white paper, Secure at the Source.
Obstacles to application security
There are a number of misconceptions that prevent IT professionals from integrating security into the SDLC. Berg has a response to each of these.
For example, instead of resigning to the idea that security and development are too disparate to work together, Berg advises that support from management and mutual goals will smooth the course. Another discouraging belief held by many is that time constraints and the push to release as soon as possible won't allow for security testing.
Time constraints are a major concern for some in the security industry. Even behemoth Microsoft, when developing Windows Server 2003, stopped production for two months in order to concentrate on security. But Microsoft can do that. For smaller companies, Berg maintains that incorporating security is efficient in the long-term, and this sentiment is echoed by other experts. By reducing maintenance and patch costs, Berg added, companies ultimately save time and money.
The final obstacle that Berg dismisses is "[P]eer review sufficiently addresses security issues." It does not, although it can be a quality measure, he said.
Incorporating security into the SDLC is essential to application security. However, this concept is alluded to far more often than it is implemented, Berg said. He a practical way to begin the process.
A solution is needed that "requires more cross-functional involvement," he said. "QA needs to incorporate security testing along with use and abuse testing." This includes a use case that "models the hacker." Audit and compliance need to clearly state what the requirements are.
Finally, management must be engaged in the endeavor. Management must "be involved to make sure all the groups are interacting," Berg said, and they must "apply the additional resources, training and tools where appropriate."
To accomplish those goals, organizations need a comprehensive plan that can be tracked, he added. "I recommend the organizations start small: identify a cross-functional team of stakeholders, build a set of standards using well-defined industry best practices, and identify a project for implementation," Berg advised. "Then build from there."