Secure by Design: Developing Apps Without Flaws Takes the Right Tools
"The way we approach application development ensures that we have a much better approach to security," den Haan told eWEEK. "There are three main things in our platform that change the game in app security. While we interpret all these business models as working applications, we have a single engine that's used with all our customers. And that engine contains all the necessary security mechanisms. "They're all available out of the box—things like authentication APIs and role-based access are all part of the toolset, and you don't have to think about it," he said. "The second thing is while we have all these high-level models we can do all kinds of static analysis on these models. And third we have one central, battle-hardened cloud platform that's been tested and certified. And our customers do penetration testing on the resulting apps, and everything we've learned from that over the years we've directly fed back into our engine," den Haan said. As noted earlier, HP Fortify offers scanning protection for customers. HP Fortify helps users reduce their security risk by offering both on-premises and software-as-a-service (SaaS)-based solutions to identify, prioritize and remediate application vulnerabilities. The solutions also enable organizations to save time and resources by eliminating risks in the early stages of the application development process, when they are easier and less expensive to fix."We were in search of a security solution that was capable of analyzing a large amount of code, with minimal adaptation, and worked across many programming languages," said Roberto Baratta, chief information security officer at Novagalicia Banco. SAP's development process includes using Coverity's tools to help implement security early in the development process. "Coverity enables developers to produce secure code and gives developers a more positive attitude about addressing security, which ultimately leads to fixing security issues early and protecting SAP's and our customer's brands," said Uwe Sodan, Security Code Analysis Team Lead at SAP, in a blog post. But how much application security is enough? "It depends on the threat," said Denim Group's Dickson. "If you are a non-profit, you're going to do a certain level of testing because the threat is pretty low. But if you're Bank of America and you know that the Russian and Eastern European hacker gangs are going to go after every piece of your software, you have to do much more rigorous testing," he said. "If you go to the big banks, investment houses and insurance companies, they do rigorous testing because they know the threat is off the charts. They know the fraudsters and the Eastern European attackers are going to try to manipulate their software." Overall, the essential principles for designing and writing secure systems are well-studied and mostly boil down to good software development practices, said Al Hilwa, an analyst with IDC. However, the problem is that it is time-consuming and requires a great deal of discipline to stick to them. "For example, by design systems should strive for reduced complexity and thus reduced surface area for attacks; user input should be validated carefully; features should be locked down by default; the system should require the least privilege possible to operate, etc.…," Hilwa said. "There are design-time, code-time and, of course, the all-important test-time practices that have to be employed to improve the level of security," he said. "Fundamentally, the fewer the bugs in a system, the more secure it likely is."
Spain's Novagalicia Banco uses HP Fortify on Demand to run ad-hoc analyses on the source code of approximately 400 applications, including areas such as mobile banking, e-banking, payment gateways, corporate Websites and wire transfers.