Application Development - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Application Development


Give Secure Code a Chance



 By: Cameron Sturdevant
2006-03-07
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Application Development story.


  Table of Contents:
  1. Give Secure Code a Chance
  2. ' Risk Assessment From the '

Rate This Article:
Poor Best
Give Secure Code a Chance
( Page 1 of 2 )

Tech analysis: Architecture-level views, automation and outsourcing are key.

New services and tools designed to help developers create secure software applications continue to emerge. At the same time, a long-recognized training gap has left some large organizations looking to outsiders for help in creating secure code.

But, is it enough?

Not according to experts including eWEEK Technology Editor Peter Coffee and secure code consultant Gary McGraw, both of whom agree that code review—while important—isnt sufficient to ensure secure code. What is needed to create applications that will act as expected despite deliberate or unintentional efforts to get them to act otherwise is an architectural review that designs security into software.

McGraw, chief technology officer of Cigital, in Dulles, Va., and the author of "Software Security: Building Security In" (Addison-Wesley, 2006), sees software bugs falling into two basic categories: implementation, including such classics as a weakness that allows a buffer overflow, and architectural, vulnerabilities that arent found in individual lines of code but are the result of poor design decisions.

Resource Library:

eWEEK Labs spoke with IT executives from two large, well-known corporations about how they use outside services to architect security into software applications: MasterCard International and Qualcomm.

What does MasterCard have to do with recent CitiBank ATM fraud? Click here to read more.

Terry Stanley, MasterCards vice president of infrastructure and standards in Purchase, N.Y., said that getting support for secure development is not a problem; the issue is getting it done.

"I have no problem getting executive sign-on [for software security projects]," said Stanley. "I also have no problem getting the budget to do what I want it to do. The developers and manufacturers out there say theyre on board. The problem is getting it done. [Secure development] is not as easy as it sounds."

One of the biggest challenges companies face is a constantly shifting technology landscape that makes it difficult for developers to keep up.

Qualcomm uses nearly 3,000 developers to create the software that runs with the companys chips in mobile phones. The company has used software consulting company Cigital on eight engagements during the last 18 months.

"One of the things we didnt have skills with was automated tools for checking our code," said Greg Rose, vice president of technology at Qualcomm, in San Diego. "So, one of the first things that we did with our secure software service was running automated tools against our code base and discovering potential problems."

At the February RSA Conference, in San Jose, Calif., Coca-Colas director of application security spoke about the need to establish well-defined security goals.

Coca-Cola started almost 18 months ago on its security assurance implementation, according to Mark Mehlberg, director of application security at Coca-Cola. "The first step was to find where we were at [regarding secure software] because that is one of the first questions the executives ask. [The next step,] of course, is establishing goals for this capability coupled with the risk you are trying to get the executives to understand. When you start asking for funding, it becomes a barrier unless youve done this first." Mehlberg made these remarks during a presentation on building secure software at the RSA Conference.

Understanding risk is crucial to architecting secure software. eWEEKs Coffee put it this way: "Security assessment is not about the elimination of risk; it is about the appropriate balance of necessary and useful risk with relevant business benefits. Further, security is an area in which you need a relatively narrow but extremely deep and expensively maintained current knowledge to do the job well."

Next Page: Risk assessment from the outside in.





  Reader Comments: Give Secure Code a Chance
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Application Development Articles          >>> More By Cameron Sturdevant
 


xv(VQn;xVKd[nkǶ-u;4II)l%ΟoK3Nt%_:sI BP(!GA 玪\82H~<4<Λ7uL9Y#C rD3,wU E]UeFN3rMq@^s}z;r@/V:ALéM~!2}B;|HJR%hOш1"lX\=;za;B 1V`TK]Kh@SQ*"U){aUh/ /\2r.bL{zF_tCSL4I հHIp{:t,=c9 NRY \StTT}⫶9\I ?bA2xF CIH7l6XpqrŃ5=~b>4 H؎m,ܪn?AW}5 :T۱lꟈe}}uI}|vti"|g9 WPAfPJe+ 9=y\toz{MNڟ:ggc:4t Wh: N*կ=?o!aj;A1la0Mj #3x=jIo]}<: 7cQ<韐_ھBD}# 7’eQo@Ѧn>@|S7pt2eTh^ ;GkoX|ppڦ-M Uǿ G/<Ju̼k䎁B49ȡ蟉$m45pİiStعqR捇Tz@@JR~nV(USeIJ7%DDqv2=~䂋(&pHr> z%E1\ST3q}]7Du..*u5-w{$;{'a 8+gBuәݰ>Wsjn#j$>6(Ztu0Iձ3c)м3 νdrgoMCFc( U,/O`\@Z3.Hpz) E ]q3߀7}`NVTR&L36tNd\IQ '2 %AW$@!-i]R@Az6< -8,rr4  #b\JZ2'9\t{#;\~(΍gr)e| eY|~It eZ&vOZLbmD6],rS m3-Muc{TrP&G#S3a 3z{@ZgޣiK0wrLICb⮢;N'fzn8  Hϱ 2Gla~&AL_XHaN&ꝱn<1ͩiÂqbj9_Aa"tebr&=6=Ȫk^ TUK\w;ıa漇d*Nk'pn7?>{@OM\nGpIN3_iy>grGֶL e jJ=S3e6 i!3T&Z n4 m 24@0ٖk_Xt jWt(:АtŹbXGJ1Bb&^fdhQ iM*c#|3öVoY(w˟TYZfi[*^ |W(-KɁUruXk2읶]%υ(̧6ay+D>UhRF,ÑihiHZ`"!lX)KEYi?O~5<".EX"{9gSOMd՞0Ւ´g9Ц VӈP+1"Y9/LU/V$J#_.ox1FA? %hPcfJf M`.8c\[(ISܧƽ3aMıRۊap:NLb4:Xbr>+j*WT07pnItn2FvIM+nabIHM!rBfP{G~hS22 YӅVjLqr(Y.W%Zg >c_1T)G"M㻆8p8Y_p,M0hO?K0nw^:JS:?b+ ;PE<&{HE0t%_,ŤOM1Cބ~ 5Ie[+[3^>F'E{hCf0!@ Mk8' 9^e=Q]৔Ԉ@|0+9!f +5$?{n#:k EZEiRV+k9i`6a/ElCc$D!24tݣk;J8K*'b(OTg"5e3ViV))]0А:QL";:^6P,2L̺>1ū75pl93@NQ͕G9X Ulri ׸ Aūu#Pe+7atyP?Oﺬ(D׿,:e2RC|#\yY RvVlΠ7o]=iz6VAA= U:1Agx "+[7ت9dء:5Ajs8X$Δp]3a Qna(0'eR jOJ -vfXi:̋Z JMg6r5Aȿ٥@qmcn#"v"9ݩs5!RXnqIeR)U) 1t8:T6uGca luGqHcʌQ%(SY-iq-J.,ߵyN3 a(l_*2l)SgI+Viف% jR&;u5(L \X\kAAf" f%rm>Gw쩺C?3PkZY+^ G{eY,N.=J%UT-V岔P3ͳ!ݓBp]FmFmR…3%!ӛuN@!m|k@a>sP9(KdS 8@ _p-z Ѹm&@)ppýW'.ƸCN^D^NN:km}(-o8dٞhQ^p8K%q{͎y-$Ws5AB& h!DHv:ڢG)'GXv䕤 g[ZUHN~4jGqx'~@0E;䐜B{vR>8 t;`ckvδGNxwĎ_@(NV1k#/x_i)tP[l:]#ΓtWcT1=zj>^Y]s:ͥ}͠M\E{wmhJ _@(V#w8ģ99X;*'q1~<,?ԝj9nkҺ?5L0ܣ,H~$CwGH4BW7G^\>Nx>HАޙc5p꺟#L PvN;lH`445v(~? B~o'; ?--8cCzRI1sMIAҭҽUDYd)=QDǛ)G/?{tH_/lǵ4/ Z8]J|uiê25QfHl0Ȅfq:ѶȒHbLSzD_綀:|~ҳ,R8[;G,Zܯ#!>陖M;~H4sзN/  z($6|ס @վ?IŃOhJN F0B@ ;Y/A+*U7֪8PyJ|}'AϠr N}y\WCr,4vRjfᣇfSsN HK+aUN|S(c` ;Y;pɉMR5,YzDdIdˏf$`)Ɛ}^Ar (q*m\+85ERIGFeɸt:$Kًȑ'YT} -|1G#ϔ~i<Z L`k㌀D~ ChU^)'W)GEhinA7v$](1i^ ߤDx ȍ E˕nNb' db;WbPQQT>$T~vicƽ/b)_ L2n:B x[v|U>f@a>rlPZR)SRFîfuQ?*p89) ,ս!W>>{}LBGVy؃cLABPRftk=0_Q^0lM֯ls乢)_V.aVa{X85/C!*Jy} $HM,ko^H!}J_܊#Y9RITh>pxf@ _+)D8U5c89JO Ci%~^cbEӭqs .i$l`HhVx̟M0סidC4 / q{A6K B4k%Ep谰? fF0(tV \w'^' 8u%MR)$s|˯ɗ_DFFn?0TL|X;<9/֔"hV2p,UUDRO´(1om"AOG /=krcŵd81WB_pE/SRvtvyolQhJy|G #𫀿;;;;@w"%|+>N뢃@Q J/p<2lX'*> _?O0Y>6fѻ ͍߰n /UN$~HX Ww;ecR9^M"< F4 ^>p+p۞I拀ِKUϛ Y fxfxZ%{Z9#XdgO!=*'!gk QVYBp -S0W(O3f)[1 DA$-8B$D!mtȵoOP/os/6Cbqb.kCC)dzZ=Cޛc!L܏~ o^PF6i> Y%&(@]PI'T_[˶o~8 rQ.U* wmaE(papaoz '  #i؀ ;$Ef:e}qrMJ$YZ J2P6m{`zjZa'3P=ӂ"^Glۏ\VJZ%Ysvf :K54}sY]d9_K>HP.$6_;;tKAt9 c}_ w-WwF=Cbve,GAH+~ +^c"WmL{: vh&vݕt\NuzTB}F ;F}1~bK:Tyo1Vٹ4-^ayo˲\Mȶ8K.NS)q<3VmS@$=L^J +_߈C*qq{ZP}Tbx4EWOĈVR>dD9m'Oa<`21?dDxa1aB)˪M;InP}wY?e=` ' U/_\}ĭbAIzb+;Y!kb^<`Ac+qƴͮggIcokI `} O1tݢ_JyD~Fчǻ|TS/b#Q4Fb)~oq#bRzވp):# h Z b-ljm{7R[ $y܎=Z.ED]& q}n꜓M﷯{Ȑf;3&2>Sf9]L: ( !'vQ]^ sb\3 Bx7ư@s.m`?{{φLolJQ75|ąrkqC9”YoF˞t 1Iݹ`?އ1΀ lZ: F2*mG?M=_{=*>I7%œ 5" e4)-n#Dts420fh60m͚1;T\G1SsE%zHA W#CdcFa T? )I*+E}Y@q#LL݂zĂB|~J¬! P/1j3#j 9/Y,aF0qs<F"O[Gqԩ[ܕy690 0Y kػy-AG$G71T=` ?z-i.us X\jHCj$й:y,@#!k'c5úޝ/\`p3W jrU*OB&ӁTds] e8j.}m7kYhVXű%0M蕴B^ȈPq/YwF`j>U0 }fڟ`I ZWWiuMzzם~{I<ڄm-J-:Gݓݫϧu粟k|j5_^dE^f(?A2/"2c|/A~.32c7.n~f+ 2޿>_?B?}OP))~2w7Y7{dwɹN2!(oeY No\8G\(_YWAa uyQ~"AyJ ,c2\)ː s;Y?u'u CfFWT=k /dmOUZk8VӮnq_lΣ_xi +Ie<$xErz. Sl?V\[/Oнۺ{ϊRݓ3+z`~La.1Wߕ\~SnE+t"LkXE)c9 8Gc_jQ'bZvd4kp'ϠybAZXf60 Vt{rM$n f2n_~T|uӚܴO]Mŭhg?>/YdֺWWV5WlNA6KER>Y,hvxCo2Q2M35üEYRw8 0׀z󡧚Oyw_ eR{qZРn> MڳiH?YAD ]FdE%QIPJE:(PPफ़h[vRjoR`' YZ8an%[1aV?&gMm@O瀍#ZCgi&58M!Z76@cmc߻C{ /mcx u0!t6 rzPdKdp.g\-Zыt!Px˺ j*XԞ/gfj0ňkCEHf_!x'GԗwؼO=![108k~h0053]\ȇ~'~=^k&b <n#QcWFDۀ2śiD VN#dk-L&$C@/06ٝhx\tSLjU?NŒ6@$YAr2Of xF V'v{5B)Hπ ԝ!zo>7SãS%VNo'b_wnT7eE&PL)JqIХE7z4݈ A6+yJ>? T|ޭklIN`tZD89fAm'{ʿl܅O)U l[:ֵd2- {kc'p' !-X0fz, 9zn% /1-ixecC`"=_vs[>'_8Qlw9k+FɀH>Y;x5Rb&(/j0~ Ӗ9_Khc{żpʦ#fS.& Axv4<1Tz[E@ME7)UD&㉵AAؚBdBgʲ 7cP.~g-n$oB@*U xZyƊ{_yl>WLENE,<bSf}')ZO_Xџ_Q>1[Z=H^<|=#;έiwmڟ?vޘ#{Ox|੏W|[w13{_f1[0̴~i~·~/;o eE7`j{D9h~af8P"5TuVT]g}T=A=@;V?4\|)9fgYӅ||==fŚfCQ`?cMԽήKJ{FX b5 _+3b.z4Dڃ3N*p)H0\=,J往1C9GT3s$Nm;+4?CQдEͼCZ’qP*u=a+EHB(놥9ҾR>XyrxQDWH˻v+bF惡wh C?%na7C E#w(K\KZ}'VIi9Q~hd pĥTx} n(>5)>Kj:pxJ_V)o`Qb8z9hN+)4Ǩ}xHdD}^Itց!yjz H_tP Z8fNsV '@í&f `t@Tj#8x3ͤs>Ƀ5CEbaOOy_AgF '3rY*Dk6{:A/g?7tLZ`.8E]R l:4ȶz[tBg7e!$Tu透v>Q%Ef`u[la}HYA p:97+21uLz v|;;@F{7)DrǷG:Ƽz9sapC3iΠeSfCY65)}C:bV 1!ϦmbV;C9!cBSu<>GP+aBhì73 nTڰӓ\vT=i$Z~s`Nա!n8A@h zȠ&܅%$B$e\%:IMX,, 0D79!>TSo;1ni֎$Ydl<QZXp /3#r/IuNn:(|6ci`OxhH~J>G ߨv•?Oyj7E oyIՈAIvB 83"e^[%+}aW y.qx 7 sr)rSfe7]ITԤ{P-i z,^~bK:$V)=n/Ι$c0^^;>.D]qF.["YQwgn>vzbp rg<]/Z#$Mgܨh‘O{Xa47IIT kXZ1`4ixXkZi)/:+?_>FNOPǣPcjk0 u GR󼶓.evxҽz-z}H)B/,*EQ4*RXV*=nIDC¯9 n=ءpI8ٰ)nr8[oVU蘍ڎ]ǿ#n^q(QlZ&,9_ c`rǂ ᭅ9a|^2[v/isSGhagazF[0H5Bl4*ר7·y0ep?~AJT+bv9%"f{g;a7 ,-ImrVnw'!&V6CPb0Nv=̭QN#+^:|+" ݁ś4AEdsdm?