Application Development - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Application Development


How to Create Secure Software Development



 By: Ed Adams
2008-03-14
Article Rating:starstarstarstarstar / 9


There are 0 user comments on this Application Development story.


Rate This Article:
Poor Best
Secure software development often goes unassured, if only because companies dont know how to go about it. Ed Adams, CEO of Security Innovation, shows that it can be handled in five steps that can be performed as tasks by a development team.

A sound, secure software development life cycle has five key steps: prioritizing applications, constructing guidelines, defining standards, training a team, and identifying tools and metrics. However, it all starts with risk prioritizationan often forgotten, but most critical step.

Most organizations have a formal risk management process in place. Many have already ranked their applications based on answers to questions such as: "How critical is the application?", "Does the application touch certain sensitive data?" and "Is there a Web-facing component?"

However, organizations tend to struggle with the ability to quantify  the security risk of these applications, as well as the documents' adherence to certain regulatory compliance initiatives for their software development processes. The objective of a secure SDLC (Software Development Lifecycle) program is to map risk management practices to the various phases of a software development life cycle. This yields three substantial benefits:

First, it ensures that you are covered for your compliance requirements with respect to application development. Second, it provides a mechanism for measuring application security within the same risk management framework you're already using. And third, it allows you to create more secure applications, which will reduce the risk exposure of your business and minimize the "VaR" (Value at Risk) that is managed by your applications.

Step 1: Prioritize Applications

Resource Library:

Starting with a pilot application provides a baseline from which to grow. Many organizations will change the risk ranking of an application after it has gone through a security assessment. There are two reasons why this is done: either because they have become aware of vulnerabilities in an application or, just as often, they remain aware of vulnerabilities that are already protected against (via a compensating control that had already been put in place).

Conducting an analysis of existing software development processes allows you to construct a gap analysis, as well as identify specific activities in the SDLC that need to be improved with respect to security. It also helps determine if the application development team, whether they are in-house or outsourced, understand the requirements and policies to which they are being asked to adhere.

The second component of this stage is to measure the security quality of a pilot application via a code review and/or penetration testing, which provides a baseline from which to measure improvement.

Step 2: Construct Guidelines

The next step is to construct high-level security guidance for team members. This is driven by the gap analysis performed in Step 1 and is mapped to your specific security policies. Many organizations already have these high-level guidelines in place, as they may have been adapted from an industry "standard" such as ISO 17799 or OWASP. The challenge with adapted standards is that they provide no context for your organization, and are either very vague ( ISO) or limited (OWASP).

The best approach is to adopt and roll out security guidelines that are specific to your organization and software development process. You need to include "gates" so it is clear when (and why) a project is allowed to be passed on to the next team member and phase of the SDLC. It is irrelevant whether your applications are built internally or outsourced. Once you have guidelines defined for each team member and role (such as architect or developer), you can "outsource" the development phase quite easily. It doesn't matter if the development team exists physically or logistically, as long as they are held to the defined security and design requirements.

Step 3: Define Corporate Standards

The next step is to detail those guidelines and tie them into your information security policies, data classification standards and any regulatory initiatives to which you must comply (such as PCI, Sarbanes-Oxley Act or Health Insurance Portability and Accountability Act). The purpose of this step is to create corporate standards for secure application development. Many requirements, such as PCI, require that you adopt and document "industry best practices for secure application development." That is precisely what this step is intended to achieve.  

As with all good security standards and policies, you need to create easily understandable and implementable procedures for those policies. This includes policy "translation"the ability to bridge the gap between business risk policies and how they are interpreted and implemented by the software development team or teams.

Step 4: Train Your Teams

Once you have built your policies, constructed your corporate secure coding standards and provided procedures for implementation, you need to give your people the training they need to implement correctly. Training should not be limited to technical training for your development team. Managers, business analysts and internal auditors or security assessors also need to be trained. A good curriculum will include 100-level "awareness" training, as well as 200- and 300-level courses for roles such as manager, business analyst, architect or developer.

Step 5: Identify Tools and Metrics

The identification of appropriate tools your team will use should go hand-in-hand with the training. It is important that you select the right tools for defining, developing and testing your applications. It is also crucial that you choose tools for security guidance and integration into your existing workflows and risk management procedures.

No program can be successful without the ability to measure its progress. Therefore, the definition of metrics is critical. Context is extremely important. You need to select metrics that are meaningful to you and your organization. A common metric is "Security Requirements Coverage"how many of your active projects are meeting 75 percent or more of the defined security requirements. However, there are many other metrics suitable for your organization's objectives. Be sure to spend some time determining what they should be.

Ed Adams, CEO of Security Innovation, is a seasoned software executive with successful business experience in various-sized organizations that serve the IT security and quality assurance industries. He leverages his technical and business skills, as well as his pervasive industry experience, to direct world-renowned application security experts and to deliver world-class professional services to many of the most recognizable companies in the world (such as Microsoft, IBM, Visa, ING, Symantec, SAP and Hewlett-Packard).

Prior to Security Innovation, Mr. Adams held senior management positions at Ipswitch; VeriTest, a division of Lionbridge Technologies; Rational Software (now IBM), Logistic Solutions; MathSoft; Foster-Miller; and two U.S. Army Research Labs. He earned his MBA degree with honors from Boston  College, and has B.A. degrees in Mechanical Engineering and English Literature from the University of Massachusetts. Ed Adams can be reached at eadams@securityinnovation.com.





  Reader Comments: How to Create Secure Software Development
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Application Development Articles          >>> More By Ed Adams
 


xr8(1ViW1E]Rlɶ,cS_"!mԐm~}7m=_Um@"7$$ W7-gDڮ9)ٟfߧG,zIÇ@@ejFUfLU3JԶnT7n[#1P/S?`W᳙(,Q  tjOt0]2hTk2"gTek/cߨY`&`1\4tTl@!j:i?۴$1qHÑh] !IQMږyD6ՇH*7܉x8ѽ/DeO؀I^Yx5EpHԸ#|xLggO>0_^x/4U'iS[Sա*v25vKnυ@Z #LDȁY{4ɿTݑu:{R# ZB[ETi11܋\\Qހ]õ]&X,.R-G eCwtSƺS]kԏ 1l{`2I9$7 VjZH{o9{ۖ3{PӬN>ͧ_JQ4E `|]`-vu]iveK<> i^_`d}+1 9 Z,rG$_c::'V}jjQҋZN-oZ*JNS#- $0yY>E4d‰EU qykϦey}u6Iyr~|j"|'9ĠJPDb+5gxg_/:nN7ϗ7FKN;פ:iv3ɀ&dX8֪V7`Kk'ޮC&w󁭡,rJr"H ?6:'WM2୫d&w"ˍ^׾ <-- $>uܻ/Rx3kf5 x[&%9[7ɄcPu t:CsfJ[cW1MXRƒ t$uW͜5Hr Aa)#p?c%Wi8@r5)6K .Fw?? dz!CCZ9nVȨ)USAEI7CD r23~B(PHQ>b/\f~M㳰fi՜(YWbMo\zjzuAWn?n *WFnZ` QM}{Q++||̗RQ_W,@F̶# )&3;,}0 ZE>dz'Դf@wӐ?: M/G˥vn1@ LNaR 8 V8; ufCuәa {>0kBi5UD%i-DCwM0Ieg!@uGLν݂2&C? FtMn@>X^0{@`^@8)ppyY?0g>o߃5#z[-[X6x G͙A }RA\QD 2(%9E29 EEKi@( $hԎar.ρlb(,HX-VpD m'8.ܑW BX ,ЂW-Kᗄtfh(5hdƺń(VFNDt0Vn)j7A1M,$k> P^!͘;aL o¯M]KKz4'*Jo^r_OM)Hj`> 7nZATM2t͏E=kb$`~ =DyBbOx7;2kkFjWPy'gx)%).xքc$C ֓6_2˧ ESr:w'NѫU?ZOfSZlzQn^u 9B@_֥P  `y X{+/,7èkA +_ii  ܚiYl`cytE9Jɨ4>t:>{j -j&;?&TYOCXG[)ZH*r>_Y;L`beQ3E2Flp |ꝸS@kQDSOXn6 8yyf]?FB\ct+ˀ%\< M-UPbz q ڠ@XĞͧ  KמO,/,{+isuMّ.RB|zl [arhfl:l=߄3O;b^- 毺&aT5<6D ȸau-`byާc]Wѹq='aK}:EZ m˙0/7MX8[φOCBI-Hx ?;u?WT˟.;ǙOYͨ섐kJc\SК.X6[Ro3>\wdSIB(oA9E)&~(Xk±&>,<,+g4`HA.Db6 BU)L0:Jb 2b,X[TB$&6t݂bIta1:C.5fz_=2dB4^Uj,3t&)ʹ\{ZQU Z*P+ :;CUFQHSj p/Q>tFYGY h¹`dQеa#ECV0& P"7h6{eejڳu;O+, v|vKFA[$`@"KjEv*b56> 09g~+kJ$XS 1>L*k}\URS+{jTyE0֫uVv-"fdaD4@w=bC-\#o | 6RnCxތ9"zeaހWIlJhL6;_JONVMШ6> ͳiLl[tܷ p]ozZ7@(nsUoyFS =Jȍ>uG p?n2161,^ >tU d|,4̩,B,ؚIκVcl,On?{J ]/ UlX GqOX7ngSO XV[I9hZb2>Ki>E?9dN@u3 U s4NPF5_[dxUiô;9Qo@Hms11 >Tow\Op'ЍoU?F8J7pթb1VgPWtZ/3O?i~" ҧOGnRH|X&&iv<$Se.8(7u\+%!^ͳ!FNɂ]AӀ)x9L Lfl'`R(S&JTW".)wD<7ϰ;b}Nb 4PG }ʴWՄθā1Og-$NҬVum4eP$5}`MٸU V|2,irNR“s{@F:(8=.]EQh2)£{{7}óA"WP)߭Uu*Lg״Ҹ]@MC~Z?IueCjgM~l1%|˾WM $(Xp!}7{1yUh]I6EFh0\< 9Ni 8YR|YIsOeSJ:\w9" /Zg, Y# B\4ǧͦ 0h$Ǣ8s cj`&ziR_KѼĂ1Ka՜$"r MN3$nE88mH{oC( V`!fBdOT# (ʑ=`=` ɈF{uQ^c/:H2BL0BG_XZ(BRHHOUxht(x6;F_᫢ٿ~-&2}m!џ.W` eIbakf+6Iҹ8 $ubS`Յ{_/s; 0,B88#n1~xA\,6ҼJ9$c4QJh"8Q9;)~ڲ{, /=;,t'=LP':. K7t[b -ɔL ir< AgJȄaye5 fkC@$ğ_2 Iv(+6HPɂt#'59ݻ<^]j6DRF=`l)JZa"A| CuR e!>倏wJg+y-)ECV6yʏXI9zSaJf SZ{QJ$ı0뀴#K.snxwĎ+^@(NVp2k5wx+[_Y.t0믾};9]#ޓd=tWcDP~h='st97X16q=wv"ϒ{~\[5(" uVAv,3x<[<Mw[14:#^/A &Wɏd-Н>U?{d &=)sdzIe '䬅)v_*=lkd?J/[ ?--8t砚Tω%ɘNFBAUU-uJln jY9sJeWV2{ѩィW> @ƣbm0dƛ'q=+g=#tz=ȥGֻq?*~{w.%|@z@pw&{ZgQJ=qu@jjab\"~^Z\dDqD%t`uUF6m>9=35$i ј@.5mvx2etY ~AXY hwg9 91<#P`-ݺܭ1J "i#ĠHYT3M3 _5d 4:aV3*|"ZyVa? W_÷zgVy{ rx|[vzߎcTRF% $9_(bQ_OcAmJ3cR*xHuLDWRXp{ftBb<),kO{[ mԇ$Ɋ)ay> 1 0e+8ft+ ǔU &SCUѴzn3ɣrb[qf4%kaH̛](3@3T%| ,2%/9n*1nk:׺шb88 Cq $-e0X˕J&c礟C9q dq"]90)|K=wXw5=D2Pq <9) \{c"Of={L9~j6OӒ˩NI2V.[Fjb0_3(YJ]gWd؃HdN:OS qً9ڐی!!=S ǷHuHVR!4ِyFH;>,3 65x8;>? > qvLڬKShI^+$&WWU{Q|4,5k;@mLv}!$v~ jӝj9_KHbd;.A ۪I !aB4ͳU$6-CfUۨRϚT\y ەJȂI\-&=} LokpqʛRB /OO$V"z赭^3.w9PRUIOgK,o#Z=i1e BmHp(ar&-_^"3~vc J"A>=H.6+")SqR{⋻SlKȶeNX*_vͲZpK)ϗDba$(҉;X)$O"$O O#3$&(ő陸='ⶄy<)# }͗` t{NaKbEQd0$N(0oN#?%Brܵ-+&E^͆h>dӪa>)k9XlE] <yΜ-< 4߬TXz >jOx Xޖ/#̢ÉP%˗Ћ*]ނ͓RIZI-Ӵ-@!kC> cn=N Id捪I1(s&q9/,q}˳ Z "4P**\%Tp(YlXI@&!7A\QOFNo>Hs%Rp1oa;sK8cyEgFfdF.Pt(=/id :PDy> ߬~oaljmt3Pum[R‹~9q kjʹOHȁ3õI#IBqDF зC//7罿%^Y fnwfw#p ԌT7]vsK:1x`O,y-R{[RV7bJ4kxTYz.c~F|5@br  }kz9-Q֓R{[RWᥨ+X!ΡnEtݡgҗa~VW.{$8DID "!ķCh%{jxyK+?M 3 7! O>l< %9<xdp`o^IKD+^jO{oK*lӎp"]QIdCTgfިḶ0C8aB +loίlr7,-*B9K G%N3'&| THoᣃ)}'6XS0 36+H?jQ/18vֶqlɘJjAj~ 9vh PC]SoĎ HB98!bkv{m7^߭?aQ~ 9D/L$6#&yӈjJ^c&@$]rҙޣt̶S,/ eFE6(k[Tz}tf\oX⩊ \oRhg#u`M7O9)9vr`C`@xqDQF;!S+1s(iJKWDI]ےOARo7U_=&#[qc[s9. ϥpb8!!wFƮȈ86n7&AN2/{5P[]yh^]nTx xKܱKhL]UW~#Y܁5)3um!7_%&!˸W]~ҿ9uycmo QSkzm6YS#!٩Ս)ͤfm#l0M#ۀږձ6xQ|)L m~[KGĽ+Yާc( gc~u2HlD5:!VJE:`7M+ℱffmOh%3_wI4P7DWГ: .]/cRAp\|@Q7FK{~i[ c{ȗy궽\ '[f}a1E3(hMVÙBt aiq!Dxqv /6 I{&BDzfO"wrh2݀e*k+HEhgϡ6 ?SX%af"$t{-1>^}X]} * O2ȷ/h6.PӬO3طO0q_n"kwH&NxD}r&f/ٹJ_c l]BzM~6SF#Vч 唃b@ WE8g_ 6b'O4G\S} 'B&& ߱&!Ϝ|%|`OiaKxo7,= ѻ]yE U# `/sQyl~Bz.e{] U O$TMtq/ SqLAxGA',).+J&@O x7te"ĪC^ 1 t$rkS4a.wQm|*%>!Du2˙uNG<~bX4nR1Q(px ~2&f#bqBtbB!L!`lWZSi `3l s$@ֈ:ȑp|鴮#D[7d 6CX8K)4(f/.Z)]N"@[ g #?B5Du*%Bmn$>|3#ϐ .X`S֙;j0j:ay?lqOGA~?Ot2&4L]X e)u l9\UKr a8mt?|1q{a{!Ip/*_?>' .yHcI 8WiN4XmMngl, |lA`3W+e'I]Vi_q]F=VB"Q]y}5x]J7X,K=MȕEɩK2UF|7 _Iː!=K%❵$mQsM$ݓޠo9]glkM‰/ԝNIiyuݺej]LJ f&E`9YeJzũ6uF\ «X]+sx}QX\mIz`JT/!jbTձ_7MPl+<Fj؊km9Gj:kRx<۫JaV3%.M~Vp Ov͋It.ZhR NjOP)(%ʯ7ԁR)(樂#67fJ l.? Pysy+S;om.o52V#JgZ)VJ?u3OݔPusHڮN626oSSӆSlg賝Bȣ)_Rϡ~S 歷 歷K??}}N/P%%e|__Rw7i@7){ߤwBI]'I)z)|V…)qJy!S;NBE%৴rXB]W2l?\[[,Oнۺ{rJݳNW4CﹺKd^ ׂM}ӉzZ.?Ś/Z9rQ9m;ΈJ5faOd_Ǽt2]oND1K.1_w)ͣ,oT2f~4eĎTlOAprm>v-:[`\< 7WmB.omG;q]vY^][T[;Yo)P.Y~DcIiߟR4ߣS }xZLԸDpoQZTն[? 8ЛB/|bg܌3*X_wAUi^_/W&{&d󠪲IP4q: !F7xgdR xSsvڢ{&ބ+Xt=h{. 7b7 uoƎTIf:HżVB9˞7rHƤA3&$`vX#/L3DA(@#غ̷=> F0Y7,SdQجÙaO/%[zQ?"z%~@,Q1"M/iL6ofa( ^!v&Acȇ<ǀ)Hp bo!u1 j6`%Q(ԣw;0ǢyUkcU 4bn41lfu¿.3đL ~f|`uěœl 466;vGoC <:^[$ [LotOi 13!Ub!&Txj J|iv+Y-7Lj1"PS*WE ɐ&"9/޺chd{+cMF{72B܄Ј83`wZ^A Sïrxɛ$ve! F AcG=םې,ڮF uˉ4xR Hn~y&x D了mvK:>c/,gv; ͞39Dt"qt'`,YRcm8=ZLLI=X`ȗ@׽~rhFݙrb@ Z;|IW]& A_&|NbOhSxNug E6 i)ϱsFEߜ FXk;NJԶt:h}q[W3 Ƃ)mø\Τ-PxUgy ̸V|3(s$F""K)nXΘFV$53௛B|z^Dl, - )IFmMWp"JMBlPzwU&d!;BPMT'*R8WD K)YBAł?Qg.vFø)j)+2cQ!*-^x[9N@xmѵhW`byݍ¦mx82 WcVa]R>F+ ]'[ۧ3й?-}, e; ]N,{QAbzB#q, f7"!a3v۷Kt@ swSbz Yv E9bE]hT.*ʢcZ79/ߵc3qݼ®,vyX]Fbrq;s_08V0|:,lp/>cwq`2[\g4^5NpA&}k\ȏ,,$[뙗Z']Y!hXj=E"`Gd, ;bcXJ ,ozԛN*)Asa#El ;ApN7WmsS<"Y4/'tRL xV*E 3 .^sƠ{e0c.ٚջU$¨C)fi|҃!t3z99r?vmr?O1/rX >h.cv90Ť޳`=dZ>.<̲(`,$v"V$)rsh{h۟3T*D%L0]R3 %:Yl{ԧ^g"a?<v`hG,?ɋ| Sy!r*]ၘ7$ASP_Xџ]̑?B+O6ƕ)zX1^*7?t{_/8MAe^oByڹIv롸 L*`'ÓgG/T3MbQYDMuv;\S|ҹ\.\:u㖗O>]w>_64hI:Fs]YcuK+_0ZF-<#@5̪R"4&o )FҢpL\岞T|9{7 SnצdT4s_jjJJ6