Secure by Design: Developing Apps Without Flaws Takes the Right Tools

By Darryl K. Taft  |  Posted 2013-08-30 Print this article Print

"All of a sudden that same vulnerability may cost you many thousands of dollars to remediate," Barlow said. "And, of course, the worst case is when you release the software product with vulnerabilities or security problems in it, and now the dollar figures could be in the millions. In our scenario and I think in the scenario of a lot of large software providers, if we have to go out and issue a patch for a security vulnerability, that's a number that's easily measured into the millions of dollars. Because we have to redistribute the code."

Barlow said IBM stresses the use of scanning tools. IBM has its Rational suite as well as AppScan and other security tools in the Worklight suite for mobile development. Big Blue wants its developers scanning early and often, he said.

"The analogy I like to think of is the days before spell check," Barlow said. "With spell check you become a better speller because when you spell a word wrong enough times you'll realize your mistake. Well, the same is true in developing code. If you are poorly writing your code and using poor syntax, you can inject vulnerabilities into that code fairly easily. But if you're catching that as you're doing it, you'll learn. So a big part of our tool in this space is as much about scanning for the vulnerabilities as it is about providing education for the developer on how best to write their code."

Barlow said a typical scenario is to do source code scanning during the build process and once you've got a working prototype of your application you switch from source code scanning to dynamic scanning, where the developer is acting as a penetration tester or hacker.

IBM provides these tools that run on most common languages and also features support for iOS and Android. Barlow said IBM dusted off its AppScan tool and added support for 40,000 mobile APIs—between iOS and Android.

For its part, Microsoft has its own version of what IBM calls its Secure Engineering Framework, except Microsoft's is called the Security Development Lifecycle (SDL). The SDL came into being after Microsoft software came under incessant attack in the early 2000s, Glenn Pittaway, senior director of strategy, architecture and policy for Microsoft Trustworthy Computing, told eWEEK. At the time, malicious attacks on Microsoft by nefarious code such as the Code Red and Nimda worms prompted Bill Gates to write his famous "Trustworthy Computing" memo.

"Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony," Gates said in the memo. "Security models should be easy for developers to understand and build into their applications."

The Microsoft Security Development Lifecycle is a software development process used and proposed by Microsoft to reduce software maintenance costs and increase reliability of software by preventing and eliminating security-related bugs. Microsoft's SDL emerged out of that Trustworthy Computing thrust, and by 2004 SDL became a mandatory policy inside Microsoft. All products that address an enterprise audience or touch the Internet need to go through SDL processes, Pittaway said.

"So you can say that every single product is subject to the SDL," he said. "The way we've implemented this mandatory policy is we've produced—in conformance to ISO terminology—policy standards and procedures behind kinds of behavior we want to enforce or prevent. For instance, we want to prevent buffer overruns and we want to enforce the use of good crypto technology."

Microsoft did have to take notice of new processes and techniques such as Agile development. "A few years ago we were getting feedback that the waterfall style of SDL was not reflective of the way many groups inside Microsoft developed products," Pittaway said.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel