The software and web applications we design, develop and deploy in our organizations are a major resource in and of themselves, without even considering the critical data they may hold. Building secure software should be an essential part of any organization, and yet software security assurance still lags depressingly behind quality assurance in the vast majority of organizations. Software vulnerabilities pose one of the greatest risks to our organizations, yet they’re one of the areas least understood and therefore least attended to.
Yet as the attacks on our applications continue – 2015, for instance, “broke the previous all-time record for the number of reported data breach incidents,” Jake Kouns recently reported – we can be optimistic that organizations will more speedily adopt security initiatives. It may indeed take a breach, a request from the board, or a compliance requirement to get an organization on board, but at some point, many of the organizations that now do little in the way of security will need to design a security assurance program that will teach the value of a healthy security outlook.
With a strong software security assurance program in place, an organization can be confident that applications developed and deployed are secure throughout the SDLC, as opposed to a late-stage penetration test or code review that sends an application back to the beginning stages in order to remediate.
Why Software Security Assurance?
Software security assurance is defined as the level of confidence that software is free of security vulnerabilities and that the organization has minimized the risks posed by vulnerabilities through early detection and remediation, among other practices. The main concept behind security assurance is building security into the development lifecycle, to be able to have a high level of confidence that by deployment time, your application is secure and ready for the world…to attempt to attack.
Of course, it’s not just about being confident hackers won’t intrude into your systems. Regulations and risk management are also prime factors in the adoption of software security assurance programs. In our increasingly complex infrastructures, there is a huge incentive to keep our data and systems free of vulnerabilities. At stake is financial losses and/or regulatory penalties, along with loss of customer loyalty, your good reputation, and whatever customer, corporate, and intellectual data and property that your systems held.
But there’s no easy way to achieve security. To get to the point of high confidence that your software is vulnerability free, it takes smart planning – in the form of a well-structured and well-implemented software security assurance program. To offer an inspiring example of an organization that transitioned from one that bolted security on before learning to build it in, we have Microsoft, who in the late 90s had dealt with numerous “embarrassing attacks.” To combat the attacks from the ground up – as opposed to on an ad-hoc basis – Bill Gates launched the Trustworthy Computing initiative via a 2002 memo, which put a sharp focus on building security in through their SDL methodology.
So, to help ensure organizations adopt a strong software security assurance program for your in-house applications, here are four keys to maximizing your success:
4 Key Parts of your Software Security Assurance Program:
1. Strong Focus on Security Awareness & Education
As we’ve long discussed, developers come to your organization with a range of security knowledge, and a lack of security awareness in general can wreak havoc on the relationship between developers and the security team or manager when trying to remediate issues with no formal education program in place.
The truth of the matter is, you can’t be sure your development team have strong security knowledge unless you help educate them. Security education can be accomplished in any number of ways, which allows for more interesting approaches like CTFs and other kinds of gamification programmers are more likely to get excited about.
Of course, it’s important to also arm developers with the standard resources and practices that a strong software security assurance program would require. But even the core requirements can be taught in interesting ways, especially through in-house security events – like a Game of Hacks challenge – or hosting a local OWASP chapter event and inviting your developers (and maybe including some pizza or beer to raise the stakes).
Getting the executive board and development team leads on board for training sessions shouldn’t be too difficult when you convince them that the time developers put in now will allow the development process to continue more smoothly, without a final code review that finds a multitude of high-risk vulnerabilities that break the build and send it back to development. When developing a security assurance program that is going to last in the long run, a strong education and awareness program is fundamental.
2. Established Secure Development Practices and Procedures
Along with introducing a security awareness program, another key step to ensuring a successful security assurance program is to establish well-defined and consistent development procedures that will ensure everyone follows the same path towards heightened security. This includes the development of general coding standards that need to be followed as well as project-specific requirements that should be well-documented during the design phase to ensure that security considerations receive proper attention.
The good news is that there are several established models you can adopt to your organizational needs, including the most well known two: OpenSAMM, the Open Software Assurance Maturity Model developed by the OWASP community, and BSIMM, or the Building Security in Maturity Model. These frameworks, going beyond offering guidance for secure development, help organizations determine what level of maturity they’re currently at and where they want their program to take them and help define and measure security activities as they progress.
By using the free resources and guidelines offered through these frameworks, as well as your own standards defined by the languages, tools and processes unique to your environment, you can accurately determine your current maturity levels according to the well-defined metrics and shape your program’s future with more confidence.
3. Automated Security Testing for a Secure SDLC
To get the best ROI out of your security assurance program, it’s important you select the best tools for the job. And when it comes to security testing, automation is the name of the game. Not only will developer adoption be higher due to ease of use, the relationship between the security team and developers will be helped with tools that find security issues as the code is still being written – as opposed to as a last stop before deployment. That has, historically, been a cause of major tension between security and development, and a strong automated security testing tool can ease that chasm.
By automating security, you can establish a Secure SDLC that won’t interrupt the development workflow. Static analysis tools that integrate within the developer IDE, bug tracking tools, build servers and source repositories makes developer adoption much simpler than traditional security testing.
Going along with the security awareness and education they’ll receive, giving developers more responsibility for the security of their code without making it a burden on them will propel your software security assurance program forward. With next generation static analysis solutions, your development team will begin to see and treat security vulnerabilities as the software bugs they are, helping further embed security into the developer culture.
4. Ongoing Security Assurance
Just because you’ve released your application with confidence doesn’t mean you’re off the hook and on to your next release. If a customer complained about a bug in an application, you wouldn’t ignore it, right? In that same way, it’s critical to update your applications as new attacks are discovered and reported. Especially with 95% of applications using open source components, it’s up to you to quickly remediate vulnerabilities found either through in-house tests or reviews or those reported in public databases, such as the CWE, CVE, and CCE. Part of the idea of adopting a security assurance program is to ensure applications remain secure, especially when released to the public. Security is never done – and it’s essential to make that part of your assurance program.