SAN MATEO, CALIF. -- The state of software security is getting better, but there's still quite a way to go.
That was the message at this week's Software Security Summit where security officers, development managers, analysts and developers gathered to learn about threats to software and how to prevent their applications from falling victim to attack.
"Software security awareness is getting better, but there's still a lot of people who don't know about it," said Gary McGraw, CTO of security firm Cigital. "More people need to be aware."
Danny Allan, director of strategic research at Watchfire, agreed with McGraw that awareness is growing, but he said the industry is still having trouble communicating the importance of software security.
"We've driven awareness to the CEO level, but we haven't shown them how to address the issue. We haven't answered the questions of why are we having bugs," Allan said. "We're instead saying what the problems are. The causes have not changed in 15 years. We have new bugs, but the same causes."
For companies to address the software security issue, they need a plan, both McGraw and Allan said. On top of that, they need a portal -- a place to store information such as patters, guidelines and code samples -- they need to align security with the software development life cycle (SDLC), and they need training.
That training applies to architects, software testers and developers.
Chris Bush, an information security analyst at KeyBank, said he's starting to see companies provide training and education for developers and that's increasing their awareness of the problem.
"Developers are smart people. It doesn't take much for them to understand what's going on," he said.
Herbert H. Thompson, Ph.D., chief security strategist at People Security, echoed that in his keynote address Monday. "Developers are smart people who want to do the right thing. Incomplete requirements, undocumented assumptions, the lack of security knowledge and bad metrics can push them to do the wrong thing," he said.
Getting into the mind of a hacker
Thompson strongly urged people to think like bad guys to make sure their software is being reviewed and tested properly. There are lots of things people can learn from how people break software, he said.
"We need to think like the bad guy and consider business risks," Thompson said. "We need to know 'hackernomics' -- the social science of thinking like the bad guy."
To help attendees better understand software attacks and hackers, Thompson outlined five facts about hackers and software security.
1. Most attackers aren't evil or insane. They just want something.
"This is good news because we can't protect against someone who's fundamentally evil, but we can protect against someone who's sane and motivated," Thompson said. "We don't have the budget to protect against evil people, but we can protect against people who will look for weaker targets."
2. Hackers may attack you, but auditors will show up. Security isn't about security; it's about mitigating risk at some cost. A common pitfall, however, is that In the absence of metrics, companies tend to over focus on risks that are familiar or recent.
3. Most costly breaches come from simple failures, not from attacker ingenuity. It's usually silly policy stuff. However, Thompson warned, bad guys can be very creative if properly "incentivized."
4. In the absence of security education or experience, people naturally make poor security decisions with technology. Software needs to be easy to use securely and difficult to use insecurely. Software makers need to give users guidance for how to do something. You can't assume they'll make good security decisions.
5. Attackers don't get in by breaching a security mechanism; they leverage functionality in some unexpected way.
What that means is the software had some functionality that was never intended, Thompson said. It isn't necessarily a flaw, just extra features.
"Security testing is not just verifying software works as intended, but making sure it doesn't have extra features," he said. "In the process of doing B, it also does C, D and E."
How to prevent attacks
Thompson said companies need to rethink what security testing is all about. "I propose it is about finding business risks that come from software," he said. "Verify the process of the security functionality, verify the functional code behaves securely, and think like the bad guy and consider the business risks."
Thompson also said companies need to methodically attack (test) the software and systems themselves. Attack dependencies, attack the user interface, attack the design and attack the implementation.
More than that, Allan said, is getting companies to integrate security throughout the development lifecycle, including requirements, architecture, development and quality assurance.
"That, however, will require changing the culture so they can understand the causes for the security problems," he said. "Then we can get to a much broader coverage of security."
Companies need to understand the importance of finding vulnerabilities early in the development life cycle, Bush added.
"What we've tried to do now is make project teams understand that we're here to help find vulnerabilities as early as possible," he said. "It's difficult to quantify how much it costs to have secure software. I just know we can help them save costs by finding bugs earlier."
But software security companies and experts have to focus on giving companies a practical way to improve the security of their applications. "We know where we are, we know where we want to go; we have to give them a way to get there -- a roadmap," Allan said.