Secure by Design: Developing Apps Without Flaws Takes the Right Tools
So by merging OWASP standards with the SDL and scanning tools from Fortify, MidAmerican girded itself for battle and set out to deliver secure applications. "Organizations often lose time and money by failing to incorporate security processes into the early stages of application development," said Mike Armistead, vice president and general manager of enterprise security products at HP Fortify. Itron, which builds solutions that help utilities manage energy and water, also became an SDL user after facing security threats. "I got tired of writing six-figure checks to these outside vendors," said Michael Garrison Stuber, an Itron engineering adviser who manages the security for the company's product line. "From a business standpoint, it just made perfect sense to me that we need to be investing in how we do development so we're thinking about security throughout the life cycle." Secure at the source is a mantra for companies like Denim Group. "Our goal, our mantra is to build a world where software is more trusted," Dickson said. And that means building security into the process.That list should include things like "we always protect client data at rest." Another requirement could be that "we always protect customer data in transit," which means you use transport layer security. "What we found is if an organization can succinctly define that up front, they save so many conflicts and heartaches further down the line," Dickson said. "If you don't define, for example, how you handle logins, you may have all the development teams implement what they think is the right way, and with all those different iterations you're going to have a handful that is just totally wide open. "And we're not talking about malware here. We're talking about good developers who are well meaning, but through lack of knowledge or whatever they introduce vulnerabilities inadvertently into software that then subsequently get exploited by attackers to do bad things. And when they do that it's usually because the standards are not particularly defined," Dickson said. He also encourages setting standards for session management. "The next thing we do is threat modeling," he said. "We recommend this to be at the highest level. You map out how the application works with two or three things in mind: Where data ingresses the system, where it egresses, and then how data is stored and what are the areas of trust in the application." An Aberdeen Group study identifies three types of approaches to providing application security: secure at the source, defend and defer, and find and fix. Aberdeen also surveyed 150 shops and found that the average respondent invested nearly $400,000 annually on application security issues. However, the cost of remediating an application security-related incident is about $300,000. The good news is that companies adopting the secure-at-the-source strategy realized a very strong four times return on their annual investments in application security, the Aberdeen report said. Mendix, which offers a codeless development environment, claims the very nature of its software approach eliminates security issues. Mendix uses a visual Model-Driven Development approach without the need for traditional programming and code that lets developers build applications quickly and easily integrate them with existing enterprise systems. It features one-click deployment so users can instantly deploy their applications in the cloud or on-site. The platform also provides centralized IT control, governance and security, said Johan den Haan, CTO of Mendix.
Dickson suggests that development shops implement a handful of upfront activities before they even go to the design phase. One is to expose developers to basic security concepts. Another is to come up with a very simple, but standardized way of doing the most important things and articulate that on a 3x5 card or in a top 10 list.