Most businesses aren't doing enough to build and buy securely written software, according to speakers at panel of corporate security executives, academics and professional software developers speaking at the RSA Security Conference 2006 on Tuesday.
The problem stems in part from failure to ask about how securely commercial software is written and failure to train in-house software developers how to write applications that leave few vulnerabilities, says the panel, drawn together by the Secure Software Forum, a group founded last year to promote applications that resist attacks.
The threat is enormous, according to Gartner, which says 70 percent of business security vulnerabilities are at the application layer. This is compounded by 64 percent of in-house business software developers admitting they lack confidence that they can write secure applications, according to research done by Microsoft, a sponsor of the forum.
But businesses need to do better, says Dave Cullinane, CISO of financial firm Washington Mutual. "If you have an application exposed to the Internet that will allow people to make money, it will be probed," Cullinane says, and the consequences of being breached are not only financial but also damaging to the reputation of the company. "You will lose money; you will have problems. The reputation risk can literally put you out of business. Twenty percent to 45 percent of customers will leave you if you report a security breach."
When buying commercial software for business applications, corporate customers need to find out what architectural procedures the vendor followed and how stringently the software has been tested for weaknesses that can be exploited, the panel says.
This review of the software should include finding out where software is written - whether it is outsourced to other companies - and what the security parameters these consultants follow, the panel says.
In addition, businesses should train their in-house application developers in writing secure code. If they have knowledge of security threats, they can defend against them when they write, the panel says.
In practice, very few companies actually do this, according to a survey of Fortune 1000 companies polled by the forum during seminars it held over the past year. Only 36 percent of those companies polled educate their software teams about security, and 30 percent said they have integrated security assurance programs in their software development process.
One panel member agreed that education helps, but developers also need tools that flag potential flaws as the code is being written and that can fix them automatically. The job of the developer should be to write applications that perform specified functions and accomplish the task in a set amount of time. They are not security experts and should not be.
Penny Lane, chief information security specialist for Visa, says developers don't have a good picture of the realm of threats at all different layers of the network, so have trouble conceiving of the types of threats they should guard against.
Justin Peavey, vice president of security architecture and engineering for State Street, says developers should write applications according to sound principles that isolate the areas of code that represent risk so if a flaw is found, only a few lines of code need to be rewritten to fix it. "If the threat is distributed throughout the code, then it's impossible to find the vulnerability," he says.
Once code is written, it should be tested for flaws. This task may have to be performed by specially trained staff because normal quality assurance testers don't have the training to do the job, the panel says.
Lane says Visa has a code-analysis team that looks through the application for flaws in how it was written, and a second team that performs penetration testing against the application.
One panelist says testing for vulnerabilities to just a few specific, common exploits such as SQL injection, denial of service and cross-site scripting can vastly improve the security of applications. "If you can apply testing for the top five vulnerabilities, you can make your code 80 percent more secure," says Caleb Sima, CTO of SPI Labs, a sponsor of the Secure Software Forum.
Businesses should put more pressure on commercial software vendors to create more secure applications, says Steve Zimmerman, vice president of technology risk management for Region Financial. "We buy many products off the shelf, and vendors say that nobody else cares about security, but they should," Zimmerman says. "We don't want to be in the newspaper with the bad headline."