Coding Security Into Applications: Survey Shows Eleven Percent "Very Effective" at Doing So
Data breaches, hacking intrusions, and attacks due to weak and insecure software are reported in the news with troubling frequency. Each event and incident contains unique and newsworthy circumstances, but with each newly uncovered problem, there are similarities and patterns in the causes. Failure analyses from breaches reveal trends and insights that can help firms correct and avoid the problems and the consequences that would otherwise follow.
Let's examine one case in point: The 2012 data breach in the state of Utah that exposed social security numbers and personal data of nearly 300,000 Medicaid recipients. Utah's governor held a news conference to report that initiatives had begun with the aim of reducing the risk of future breaches, including audits, oversight and investigations.
The problem in the Utah case was hackers. Their attack? Exploiting a default password in a upgrade application. Once inside the the system, they were able to bypass security controls. But the fact is that hackers got in and took protected data using a common and quite unsophisticated method.
According to the Verizon 2012 Data Breach Investigations Report, a stunning 96 percent of attacks investigated were "not difficult," and 97 percent of breaches were avoidable through simple or intermediate controls. In the last eight years alone, more than 1 billion records have been compromised due to breaches. Only eight percent of breaches are discovered internally, and the time to detect a breach can range from weeks to years, as in the cases of Nortel, TJX, Heartland, and most recently, Global Payments.
An InformationWeek research report titled 2012 Strategic Security Survey shows that of 946 respondents, only one-third incorporate secure practices into their software development life cycle (SDLC) process. More alarming is that of the 33 percent that have a secure SDLC, only one-third of them rate it very effective. That infers that only about 10 percent of organizations have a serious, disciplined, and effective process for preventing 90 percent of the problems.
Knowing and Doing Secure Development
Developing strong, secure software is a sophisticated and complex process. There are many factors that apply pressure and influence to the SDLC process in direct and indirect manners. Time, cost, talent, teams, contractors, mobile, UX (user experience), culture, communications, tools, methods, competitors, regulations, features, database, integration, QA--and oh, yeah, add security in there somewhere too.
But the complex SDLC process also has available rich bodies of experience and a multitude of resources and knowledge from which to learn to avoid problems, and in particular, security-related problems.
The Software Engineering Institute (SEI) at Carnegie Mellon University is a leader in research and in improving the SDLC process with training and tools such as the Capability Maturity Model Integration (CMMI). CMMI models are recipes of best practices to help technology executives dramatically improve the effectiveness, efficiency, and quality and their SDLC efforts. SEI is also home to CERT, a group focused on research and improving software knowledge and protection practices.
The Open Web Application Security Project (OWASP) is a security-focused nonprofit group whose stated mission is to make secure practices "visible" to help the development community make better decisions about software risks. OWASP formerly produced an annual top 10 list of the most common and most problematic software vulnerabilities, but has since pivoted to a monthly effort termed the "security blitz."
There are tools that exist to help improve and integrate secure coding into your SDLC. Static and dynamic application testing tools (SAST and DAST) can help pinpoint and discover problems during application-coding builds no matter if your development methodology is waterfall, agile, hybrid, or proprietary. Tools from companies such as CheckMarx make finding security-related coding errors as easy as the spell-checker in Microsoft Word.
Software development has literally changed the world in which we work and live, and has improved our quality of life in countless ways. The risks of breaches will continue to be a problem, as hackers continue to change methods, tools, and tactics. But the risks of breaches can be significantly reduced by simple, known, and available practices, tools, and education.
Here is to happier (and more secure) coding.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.