Aujas US

An IDG Ventures Company

Secure Software Development by Design

software securityNew innovations and complex software features are a part of the evolving world of software development. Secure software, however, is still a dream when compared to robust, usable and rich functional software, and software security issues have grown manifold.

Security is often considered complex by software development professionals, who have the misconception that it hinders software performance and usability. On the contrary, a secure system is far more robust and usable, allowing the user to utilize the system efficiently and providing one way to do an activity.

With security being given short shrift by professionals, it would require a change in attitude to move security from being viewed as a hindrance to being viewed as a benefit. Such an attitude change would bring much needed innovation to the task of mitigating software risks and vulnerabilities.

Having profound knowledge about software vulnerabilities is not needed to address the basic security risks encountered by applications. Basic vulnerabilities like the Open Web Application Security Project (OWASP) are easily mitigated by using a framework or reusable codes.

Frameworks like Java Spring, ASP .Net view state, C# cryptography and security, Hibernate etc. are reusable modules that mitigate the most commonly known risks. However, the fundamental problem is the awareness and change in focus to look at security as an enabler rather than a hindrance to usability or performance.

For example, in security the best way to generate a random number is to seed the random generator with a random value. But this method would hit the performance of the system as the seeding logic is mostly done by a file in the Unix/Linux machines and it’s not a multithreaded operation due to the file I/O. So it is essential for a developer to understand and mitigate this as a performance issue, rather than giving up and thinking that security is hindering the performance. The reason for using a random number should be evaluated with the following few questions:
• What is the purpose to use a random number? And what would happen if the random number is predictable?
• Cannot the UUID alone be used to achieve the goal?

If the random number can be predictable and we do not have an issue with it, then seed it once and not each time. If the random number must be unpredictable, then UUID is not a good idea. It would be better to create a simple random and encrypt the random with a secret key. The key will ensure that a performance bottleneck is avoided while still creating a random number that is not predictable unless someone knows both the seed and the secret key, which is not likely.

Every problem we encounter today is unique for each company, though the solutions remain same. The final implementation and design should be owned by the development team. In access controls, the role-based access control (RBAC) model is considered as one of the best, but still we see software engineers re-engineering and reinventing the cycle. The same software engineers do not reinvent Hybernate or Linq. Here again, an attitude change would help mitigate these issues, and awareness of designs and frameworks would eliminate basic security issues.

It’s time we wake up with a new attitude towards security. Awareness, Attitude and Innovations are essential to drive security within organizations. Statistical tools will aid in detecting language level vulnerabilities and misuse of methods and functions. It is high time that requirements, architecture and design are influenced by security performance and usability.

June 21, 2011 Posted by | Secure code development | , | Leave a comment