Secure software development practices 'not rocket science'

By Colleen Frye, News Writer 03 Dec 2008 | SearchSoftwareQuality.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

What happens when a bunch of software industry leaders put their heads together to address the ever-thorny issue of software security? They find they share a lot of common practices that can be applied across diverse environments.

SAFECode's guide isn't a list of best practices. This is a list of things actually being done and shown to be demonstrably secure. Michael Howard Microsoft's Trustworthy Computing Group

"That's the coolest part of the story," said Michael Howard, a principal security program manager in Microsoft's Trustworthy Computing Group and a contributor to the recent document "Fundamental Practices for Secure Software Development." This guide to secure development practices was released by the nonprofit Software Assurance Forum for Excellence in Code (SAFECode), which was founded last year and includes EMC, Juniper Networks, Microsoft, Nokia, SAP, and Symantec as members.

There are two striking aspects to SAFECode's guide, Howard said. "For the first time ever you see the industry agree on something from a security perspective and document it." And, he added, "This isn't a list of best practices. This is a list of things actually being done and shown to be demonstrably secure."

The guide details security practices for each stage of the software development lifecycle, which Howard said can be applied to any type of software development.

"That's one of the beauties of this document," he said. "The common ground between all the companies makes it applicable to any software out there — database applications or Web applications or embedded systems. And the way we laid it out, I think it will be relatively straightforward for developers, which is why we included links in the document."

SAFECode's recommended practices across the lifecycle are as follows:

• Requirements: Define a set of activities to formalize the security requirements for a specific product release.

• Design: Conduct threat analysis (also called threat modeling or risk analysis) to identify architectural and design security flaws before code is committed.

• Programming: Minimize unsafe function use, use the latest compiler toolset, use static and dynamic analysis tools, conduct manual code reviews, validate input and output, and more. (See the guide for additional secure programming practices.)

• Testing: Recommendations include fuzz testing, penetration testing and third-party assessment, and use of automated testing tools.

• Code Integrity and Handling: Implement controls to address access, storage, and handling during the development process.

  Secure software development resources Build security into the SDLC and keep the bad guys out Writing software requirements that address security issues The essentials of Web application threat modeling

• Documentation: Provide details for customers on how to securely configure their software.

Of all these lifecycle practices, Howard said threat analysis is the most important, and a practice all of the guide contributors had in common.

"It was surprising to me, and I was happy to see, that all [SAFECode] vendors do some kind of threat modeling," he said. "The problem with a lot of software development from a security perspective is that a lot of it focuses on coding bugs, which is fine, but you can't lose track of design issues. The beauty of threat modeling is it helps uncover design issues and to understand which components are most at risk. It ends up being the linchpin of the rest of the process. It's critical to get it right."

For organizations looking to apply these practices, Howard said that from a technology perspective, "it's all easy. This stuff works, and it's not rocket science — you've just got to do it."

Challenges: Pushback, costs, time
One difficulty, though, could be management pushback, Howard said. "Unless the management team in your company understands that this stuff is important, it will be an uphill battle."

There are some costs to applying these practices, as well, Howard said. In terms of tooling and requirements, he said, "a lot of these things are very cheap indeed." Educating and training employees in these practices will cost some money, he said, but there are cost-effective ways to train.

Also, he said, "following these recommendations and ideas probably does add time up front. We know at Microsoft it did, then it became just part of the job, and at that point it really didn't cost more."

Howard also said many of these practices can be automated. "You can make a huge chunk of this part of your check-in requirements, so when someone checks in code there are a bunch of things that run. A big problem today with security is that there is a lot of stigma associated with it" in terms of expense. In reality, he said, organizations can get some early benefits "for minimal investment."





Tags: Building security into the SDLC (Software development life cycle),  Software security testing and techniques,  VIEW ALL TAGS




Digg This!     StumbleUpon     Del.icio.us






RELATED CONTENT Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications How to prevent HTTP response splitting Software security testing and techniques Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Is online application testing for smartphones different from other software testing? Software testers facing six big challenges today, StarWest keynoter says Lesser-known free software testing tools testers should try Is manually testing a software project for flaws too risky? Affordable automated testing tools for securing websites

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary