Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Experts Say Its Time to Write Secure Code



 By: Dennis Fisher
2006-02-23
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Author and chief techology officer Gary McGraw is urging developers to write more secure and reliable code and include security measures in their applications.

The term "software security" usually conjures images of aftermarket measures like intrusion detection, anti-virus and firewalls.

Gary McGraw is on a mission to change that.

What developers should be thinking about is writing more secure and reliable code and including basic security measures in their applications, not relying on customers to lock them down once the software is deployed.

And IT managers and CIOs should be using their checkbooks to let vendors know that theyre no longer interested in buying flawed code, McGraw said.

"Its time to do software security. Theres been enough philosophizing and hype. Now everyone knows we have a problem and wants to know what to do about it," said McGraw, the CTO at Cigital, in Dulles Va., and the author of a new book, aptly titled "Software Security: Building Security In."

Is It the End of the Security World as We Know It? Click here to read more.

Resource Library:
The book is a step-by-step blueprint for developers interested in building more secure code from the ground up and centers on seven "touchpoints" for software security.

The tenets include code review, risk analysis, penetration testing, risk-based security tests, abuse cases, security requirements and security operations.

McGraw is under no illusions that ISVs and in-house developers at other enterprises will be adopting this plan wholesale. Change takes time. But, if nothing else, he hopes development organizations will at least take the minimal steps of using static analysis tools to scan code, and performing risk analysis audits of their applications before they ship.

Perhaps the best-known example of a company getting religion on software security is Microsoft, with its Secure Development Lifecycle process.

The company has developed the process over the course of several years and continues to tweak it as need be. Microsoft also has built its own static analysis tools, PREfix and PREfast.

Oracle has begun using a similar tool, Fortifys Source Code Analysis suite, to audit its code.

But, as McGraw and other experts point out, such tools are only one piece of a much larger puzzle.

Mike Howard, a senior security program manager at Microsoft, and author of "Writing Secure Code," pointed out in his blog recently that developers must be careful not to place too much faith in code-scanning tools.

"Such tools, often called static analysis tools, such as the tools we have included in Visual Studio 2005, are very useful, but they are no replacement for human intellect," Howard wrote.

"If a developer does not know how to code securely, or if a designer does not know how to design secure systems, and testers dont know how to validate the security-posture of code, tools will provide little, if any, help."

"I agree with Mike on that," McGraw said. "I just dont believe any tool is the be all and end all. Static analysis is not going to fix everything, but you sure as hell ought to be doing it."

Despite the success that Microsoft and other software companies have had in cleaning up their code before shipping it, McGraw said that the majority of ISVs still havent gotten the message. In fact, development shops in financial services companies and other non-technology organizations are taking the lead on developing secure code.

"Its not the software vendors so much. Its all of the other people who are doing it," he said. "Qualcomm, Coke. Were making good inroads, but we need developers to get behind this idea.

"It takes market demand [for change to happen]. Consumers for some odd reason think that everything is secure, and when they find out its not, they get [mad]," McGraw said.

"These companies are finding out that people have implicit expectations that software will be secure."

Many companies in recent years have taken to using penetration testers to attack their applications either after theyve already been deployed or in the predeployment testing phase.

But this kind of test is only as good as the tester and the results only show what vulnerabilities exist at one given point in time. Given the dynamic nature of enterprise networks, the test results are likely out-of-date by the time the CIO gets them.

"Pen testing has devolved into a feel good exercise. The reformed hackers [doing the test] find five problems and maybe tell you about two of them. Its usually incredibly surface-level stuff," McGraw said.

Click here to read about Microsofts bevy of security betas.

"The hackers feel good, the customers feel good and the VP feels good because he gets to check off the security box and go home."

Along with Microsofts Howard, McGraw is part of a small cadre of experts that has been agitating for better software development processes and more education on secure coding practices for developers as a more efficient and effective way of addressing the epidemic of security flaws in commercial software.

But adopting a framework like McGraws or Microsofts takes time, discipline and a commitment from not just the IT organization, but upper management as well.

And, as McGraw is quick to point out, breaking code is far simpler than writing unbreakable code. Or, as Dan Geer said in his foreword to "Software Security": "I personally prefer Sam Rayburns earthy formulation, viz.: Any jackass can kick down a barn, but it takes a good carpenter to build one."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Experts Say Its Time to Write Secure Code
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Dennis Fisher
 


x}ks㶲*Q3CO#MɶlIJ|,LjI)!)J /=hɏsw<5D /4|Aȅ=&mǘYNӡGLzI|݇@@iZNU rJ e>HwW7ncR;^> \?g#QY|}^~lv .pѴ ⌲Qm5xyG`nZN<Q܇CѺ8QQw,8$a}#$aT<ش'l^b&{Bq45;^7WFV~B {.Y^Z ,gx 8b'*#O^3lcㅰH A-c9p<u#wJ3v'uڪ8NQp/F:p,#ECr4 .ܪa?WuomzVuoǞ32w p%X䈍YR0wC'&>dСģZr ˺7heo6 u{ҾVUBXWG}޴ ޷L{`*sЙ~֚7?ҽPʪ)~{:ʑGAnnkp[J^׵Sn_w|n^\|r - o$&W JDTRBp$" ĆIu_ZGm.oVQ~ASC TIja>E4b‰EU}$Vw"?Zu$uyX6&ZhCA+tV9jqszr|qӺ540:;RZڗG$N:ǽ/WM2 ୫OGcdp,'^t7QZ,7/s$dBrZ~@X*,>JAͼ94o o SE@- uj k+:YK70S_o3;j\K=0[-RFp &JpJq䰉cYSl \4'O2X U >hI,A[!fT}N}%I FRÜMkݶOCGs>2胎6ml-ÉIXn`VtHQp{4ڭ,%H_ >< )ZN=H:}m`95$ǶCMߟLs#09w ښB<QЁ4}a vhq.ppyY?0d| w,߃9#z[MKx GِRA\Qo@' dQJ ds4.'P(AH 9 99 ŊPޑvZ*&RPJnOq$]8cJ"ڹ&,S,ЂW-Kᗄtfh(L=?U Q򍜈<"`&ˑea*0pRx5Vn`oʡ헫& ==˚hfZi [N@Nt0jHL\U}GeyB9@cϹ`m'ȓcQ2G6Êi֜Ǻs2:yBSӆNH|Ehs 2!jĹǦ笳Z&5LUX ouE4=fX*pn=&.0|jj+iS w$m˴o)TЛv!39n! hW.Y 2cxRUyRt+[Y3R7)\IYbT9XScXM`Dw Lz?qm/n$1LaV|\vΖuV"kͲG{_No6Ҟ~iZZ @-ei ,a-׾0^Ԣ(-a|u(" !tsaŴ,B /0<:Bb&^&dhQ?iM> cc9}sö V/U Wß@-tX)Z%a5sV@d@7h` DlVCax5Zzǎ As,M[{fL8g cp>H%2ĂN? ' [BSjb3}Ä끄 _%t7w:P[%5n/.{K isy]ؑ.RB|zl P[aHz{>cTfla82-|<ݝtlļZB_uAiTԗKJAUcϓckLĽf2,rFe9وAF9 CQ>-Dڦ= G.5uH85[̈́OAE- 88qxS??uPVƎ< [Kg>ZFm `+|\sgI}єa˘30|q֣q$KD(Mܧh&\3atSN䱯3 g4`Hڸ/|P"X58h|> B K'"Z``EsǖYCǖbT۔Ђ[|P*'i~Ò?DBCizi}~هF9C!_%Pq"JPVblxcC+jrXT+ 7+|f~~{ ߥCc *|}Gw'Ǜ^~:FaY8 ^_>m^:J39X>: ;012&z-Cv5  ʌJo!<4`k+(*H30=: ͼz8_n'?!AG5"h!({3E6(1 "vV;KjZS~I1H%[SG3GŕRЮ#f k>L5*jAe߯Y+^> ) Lt0Ȁ%=Gl0۩p>dV}P@K&nƚ6 37}&Mno=ϼd[̌<9E 7V"=_`%sQl x@̬}#u0m97a~E-0>Oi_ Fb&T~\yy خCg^a+w9e6e'Ww}uTcpA JG}og|/U[A9Xb1J9ޥ0͜)6@y #keaG8fz%~f^{~{?I jf?}TJJ\ӳ (J+H@:erЗSv8^go齦m6<԰6MFk4× D8 m̀@ c\49`B4c-Ig Ay8<\;Z9 ºUXHE`|C(Wtzȃ}E9{B*q^]4DG2sE6^SF(+bK)"$DY \eg'u_f} bt4zUt"w[4Po1r!~_!c&o8~ ѶPhLVb:ntL:{dNlp l_`EcrfF4-_{w jE5PARB9kũ-xOӆO\fax!u, q%՝b" oBٸEO ,l}[[LpAS2%I"ϔ m$IjSfkC@$ğ_2JIv(+Ht(dAWjӚmf /.i϶n_"#&@v\&0Ӑ qk7.BE HY)o8-yB>Blb%%hҫoeW!؉lj9l01ta^rWSu"6GHD91uv;2x;zZ1 ?ݮpne9jo{t~h=;0Gst7Xpg-;oCĆ'weNx>IАߙc=p9!M[zMY fc ǻc Ǯ~'ݻ~Zw[q*A-wC<-R#I1$$Z^T@**s攤ˮvȔWN Hƣbm0dƛ'q=Kf#{Ӈ{ ~}!F.5?6.s!TxBo~=˸a2]a{*{w}wo]VZtCq@1&x/.)%/E5@OKtGY_ QKwv{Y!0N آw=63~OkO=riG.}Xs?4hg@[˱=Ιx <v4.߮ B;BJ [42UCnuk-Ǭ§ ,'iƿWc#ޚU2$;lߔc͘37Ocp௥* XR|  .wi{\naa0^> <"s(ı߂KݤCƧSӆUe[CY!>'!nꨣjjYٗwłyK=jSttxl8[߬}QljGm)PJZ59+\,QDx7TZx:aC5ėaJ X쑧c(n!"~}ns9TZ1,Kj."w86v"'Եq<>G&3_+ՓYHnc\:·x&: "FT٭o/w%qvߏ3yAbZjpp'`qƦQ-1p]hIޝ,8G>P SYD#L,tzEzLt({}&"1}pa~3`k`,):5ϝ{,Ï5{FZvmXyr"mM^>8V-8(BQ,T}(wbS"6 */LUn ,VbLd:J^I?yD ^\Vk{I܂I{HR#i"9֤EcHH,i'.rK4JllJ<^*Rz3`7G#to٠ < [ &p޵qfBieBLDSUQ0}4,5o;d|C& >  ?j-v\%wN))j *sg8, *&5PАr.RΈn~n5ox._:3GĖ:,_Yf+"t4 +P#l/Z=Ja_-UeقIKzOԱh,'r,odž*6rΆ/LD)ԔLa9D#oN]Ѽ[BERUI+O`%NXYdԗ'3R IԖf̵A"VpH%'B"қCGG_ߴJٔ O'+a-M$ P.kKV.U XD8XARiȣ zR|-bz1$tj<\KȥRt}ixRW馍rEٯȆ$|C4@,lxnOYUz1c4,7|f9bYfg|GFt&F)坒; F~cII& 'aӽ4"-<ԟ)_PPȼV$n-88 8/E+f%!DpЬJM3QF\߬kOgUQ̤a2T7-D_@j>tWZT)*&<B'IըOS' ;/I,7cپ,NGM||||_\Z>˫wAd@7:@%3(-IvPh>>U7g8#qacpuNI2PX?IuzO(/1xn7]`޶O-+[s M`@牏e%x]au-00; $~qCC}l|G*|m[|tmB%$?Uk]-:@8x<*c';&  W17OE4ێ_nU8b;p5< KPj~R?Nذ9B  !x>*d|}`"Yl<7}yx}ֱn g_lc t㦀 Jx@ղ1t=`Ā a:I&I +"/sU&v`f0g$tt/͕,@G`ũfޖpÑn:_/bT܈_<@}IVOMko~#*'HmO`n}Ê{{TVq:Q/r~V p\ S)mi~3Ӈ Iη0HxN&sjxϩVQ՜|咿<^YR z~b]1a⍾*B UNz yԥ:BME7cWBhrx^HQ5:@ mN󼦘hC~?Vz^3XZkX;Xif‹yBE ~K-y -JYՉHЛ,ݾ]_<NIGnHteŝJqpq:BtkiL٦ƗRµIʥ rQ D#'&E"#MJ~RRߡ<ƔR{ؑժTjQܣ@VT9>TeWzPZ#6\=S`zE(BAdӓo)?쇩1l˖C0ۏUztWc3 x J⸋bv0 {{n/1~݈+k2Щ H Wkn2R)5?/R\mD 9vsđuNc\2,9)Ci\d3+nіTm}yVң]F bxɹn붩t8ҡ`7b~mz/x|#+#oDi!B'Lm5jMh9Mfikxg4KWOw`ʪ1>F+PSC7,6M$Ae5T?0нnnZU}GКXw/BJ 76&pm[Њ/Z>coI c Mrtƃwe\S{ I8Gg_ 6f^ZGZQ!G)}o {#d2zވD9#YZ `Oi$~b Ï"vFf.BT0 ]0!`͛fgF\6o^yE@ܙ6%<yS]\* }ti0xfA)CO좺t,A]Égաu/ـ tC |9[CG)W9Ĕ#M90ּ+ cDT.3Oa@P=SbX"bR1Q(Vpx ~2&IE< ,i Ps6@א0H`lgs3%H 1L_ 1aCk4bwƉ As%{Qi]16Faŷn(l8*wxcF||>gg~t? D:b)q (bE7@,G,(ϏB5Du*%n67PF,1 u|``EP00a|Lo?ѧaPOnN@ S3Tf;. l9 :UeOLg>򽉁{:ςlQغ9P;tɱcdH>0=uR\jsB& )nyg3sn&&~oon2/$)CAy#Wpz~;"9(/GR*zUKӌ}(ϐge3VNa{r!Wgˀn_} Ks\WKM0TntEճKT7cn%:v^_s\ȜHǣqa@BD4k{HO8ѭ=\zI[ÙxwI0? ۓ{ 7]wإ9#p} ~iMnڧn\v<2kݫ+++p'k͠~%s"N^Rqà6V {x5CחUڳi>YF<]OxJ?&.) (Q"cq} !1eϑt nhqjF߮e$53௚B|z^Dl, ي݋SFmuWr[vEQvUht[#R,`+/2^;' g\vCXl=wm%)@A :XqKAvޒ{ƾ( ;CcwϏp`2uzNN7pA&}+\ȏ,,L[Z']Z!hXrE"ҁ )Q~)'mfK#fY1[Rj0gn~ӣ4pRaL $b[иdS1'@j0\|5H d9[\K^مu&v3k9/YH~>  \99.@$ASP_Xџ]̑?q*g\`