Aujas US

An IDG Ventures Company

Secure Software Development by Design

software securityNew innovations and complex software features are a part of the evolving world of software development. Secure software, however, is still a dream when compared to robust, usable and rich functional software, and software security issues have grown manifold.

Security is often considered complex by software development professionals, who have the misconception that it hinders software performance and usability. On the contrary, a secure system is far more robust and usable, allowing the user to utilize the system efficiently and providing one way to do an activity.

With security being given short shrift by professionals, it would require a change in attitude to move security from being viewed as a hindrance to being viewed as a benefit. Such an attitude change would bring much needed innovation to the task of mitigating software risks and vulnerabilities.

Having profound knowledge about software vulnerabilities is not needed to address the basic security risks encountered by applications. Basic vulnerabilities like the Open Web Application Security Project (OWASP) are easily mitigated by using a framework or reusable codes.

Frameworks like Java Spring, ASP .Net view state, C# cryptography and security, Hibernate etc. are reusable modules that mitigate the most commonly known risks. However, the fundamental problem is the awareness and change in focus to look at security as an enabler rather than a hindrance to usability or performance.

For example, in security the best way to generate a random number is to seed the random generator with a random value. But this method would hit the performance of the system as the seeding logic is mostly done by a file in the Unix/Linux machines and it’s not a multithreaded operation due to the file I/O. So it is essential for a developer to understand and mitigate this as a performance issue, rather than giving up and thinking that security is hindering the performance. The reason for using a random number should be evaluated with the following few questions:
• What is the purpose to use a random number? And what would happen if the random number is predictable?
• Cannot the UUID alone be used to achieve the goal?

If the random number can be predictable and we do not have an issue with it, then seed it once and not each time. If the random number must be unpredictable, then UUID is not a good idea. It would be better to create a simple random and encrypt the random with a secret key. The key will ensure that a performance bottleneck is avoided while still creating a random number that is not predictable unless someone knows both the seed and the secret key, which is not likely.

Every problem we encounter today is unique for each company, though the solutions remain same. The final implementation and design should be owned by the development team. In access controls, the role-based access control (RBAC) model is considered as one of the best, but still we see software engineers re-engineering and reinventing the cycle. The same software engineers do not reinvent Hybernate or Linq. Here again, an attitude change would help mitigate these issues, and awareness of designs and frameworks would eliminate basic security issues.

It’s time we wake up with a new attitude towards security. Awareness, Attitude and Innovations are essential to drive security within organizations. Statistical tools will aid in detecting language level vulnerabilities and misuse of methods and functions. It is high time that requirements, architecture and design are influenced by security performance and usability.

June 21, 2011 Posted by | Secure code development | , | Leave a comment

The Business Case for Secure Development Lifecycle

Vulnerability ManagementSoftware is integral to business operations for most organizations. Unfortunately, the increasingly indispensable nature of software-based systems has also made them high-value targets for cyber crime.

Today, most of vulnerabilities targeted by cyber criminals are at the applications level rather than at the operating system or network levels. The cost involved in fixing these vulnerabilities is very high due to:

·         Incident response

·         Customer compensation

·         Penalties for compliance violations

·         Short-term fixes

·         Cost to remediate the problem

When a cyber attack is successful, fixing vulnerabilities can grow even more costly.

Although recognition of the importance of secure systems is growing, software security must still compete for a place in an increasingly tight enterprise budget. However, a well-optimized security program can reduce the overall cost of developing an application and the business process it enables. The program can integrate security at various layers to mitigate risks that the company or software can face.

One proven and time-tested model is to incorporate security into every stage of the software development lifecycle. The Microsoft Security Development Lifecycle (SDL) is one such comprehensive process that offers an industry-leading software security methodology. The Microsoft SDL embeds security and privacy throughout the software development process.

The SDL delivers real cost savings:

·         When software development processes include security practices as early as possible, the cost to fix many vulnerabilities can decrease dramatically.

·         A structured approach to security makes the process more predictable, can significantly improve its efficiency, and allows the security team to deploy its resources in a heavily leveraged, top-down manner.

·         It is cheaper to plan early and have a security requirement rather than performing a final verification.

·         A combination of high-level analysis, low-level review, metrics-based risk management, and tools can provide an optimal, measureable ROI.

By following a defined process like the SDL, vulnerabilities are more likely to be found and fixed prior to application deployment. This helps reduce the total cost of software development.

Improving the security of a system makes it more reliable and less expensive to operate in multiple ways. While software security efforts require some resource commitment, a significant ROI can often be achieved with a small initial expense. Careful use of metrics allows tracking of the effects of the investment, and those same metrics allow long-term improvement of security ROI and overall effectiveness.

Understanding software security problems is a foundational part of building better software. A recent survey conducted by Forrester Consulting noted that 0 out of 7 company executives who responded selected “lack of time to perform security tasks” as a challenge for implementing a secure development program. Rather, they cited “lack of security expertise”… as a top challenge. So it’s essential to know what talent is available in-house and where to look for expert advice.

Aujas is a member of the Microsoft SDL Pro Network, a group of security consultants, training companies, and tool providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the SDL. We can help you make security and privacy an integral part of how software is developed for your company.

 

For more information about Aujas and the Microsoft SDL Pro Network, contact Karl Kispert at karl.kispert@aujas.com.

April 11, 2011 Posted by | Cyber Crime, Enterprise Security, SDL, Secure Development Lifecycle | , , , , , | 4 Comments

Secure Code Development Is in Your Future

Microsoft SDL Pro Network Is at the Forefront – and Aujas Is There

SDLSecure code development will become a standard in the near future, according to industry experts at Network World. As the Federal Government continues to require cyber supply chain assurance, you won’t be able to sell any technology products to the government unless you adhere to a Secure  Development Lifecycle (SDL) model. Other critical infrastructure industries such as financial services, utilities and telecommunications are adopting these requirements as well.

The Microsoft SDL is a security assurance process that combines holistic and practical approaches, and introduces security and privacy throughout all phases of the development process. Microsoft made its own SDL public as part of its commitment to protecting customers and enabling a more trusted computing experience.

Member of the Microsoft SDL Pro Network

Aujas is now a member of the Microsoft SDL Pro Network. As a Network member, we are part of a group of security consultants, training companies, and tool providers that specialize in application security.  Network members have substantial experience and expertise with the Microsoft SDL methodology and technologies.

According to David Ladd, Principal Security Program Manager at Microsoft, “We are very happy to have Aujas join the SDL Pro Network.  As an IDG company with a global presence, Aujas will help organizations around the world improve their software security process to overcome security and privacy issues.”

Adds Karl Kispert, Aujas Vice President of Sales, “Our vision is to manage risk and enhance information value for our clients. By implementing the SDL framework, we can help our clients manage their software risk, meet compliance requirements, improve software quality and enhance information value.”

The services Aujas offers as a Network member are designed to span the entire lifecycle and make security and privacy an integral part of how software is developed. Specific capabilities include:

  • Training, Policy and Organizational Capabilities, including security training and advice on how to implement the SDL
  • Requirements and Design, including risk analysis, functional requirements and threat modeling
  • Implementation, including use of banned APIs, code analysis and code review
  • Verification, including fuzzing and Web application scanning
  • Release and Response, including final security review (FSR), penetration testing, and response planning and execution

Aujas’ Secure Development Life Cycle Services assists in recognizing and avoiding security pitfalls during the software development lifecycle, and also corrects security problems once they arise. It is the transformation of Software Development Lifecycle into a Secure Development Life Cycle.

Our Strategy and Planning help organizations to categorize the applications according to the risk the application presents to the business and formalize the security requirements for the same.

The Aujas Application Architecture and Design Review services check if all the security elements have been considered during the design phase and provide feedback for the architects to adjust the design for maximum security and privacy.

To find out how Aujas can help you implement Microsoft SDL, contact Karl Kispert, our VP of Sales.

January 4, 2011 Posted by | IT security, Risk management, SDL, Secure code development | , , , , | Leave a comment