Businesses should pay more attention to software security

SAN JOSE – Most businesses aren’t doing enough to build and buy securely written software, according to a panel of corporate security executives, academics and professional software developers speaking at the RSA Conference last week.

The problem stems in part from a failure to ask about how securely commercial software is written and failure to train in-house software developers to write applications that leave few vulnerabilities, said the panel that was drawn together by the Secure Software Forum, a group founded last year to promote applications that resist attacks.

The threat is enormous, according to Gartner, which says 70% of business security vulnerabilities are at the application layer. This is compounded by 64% of in-house business software developers admitting they lack confidence that they can write secure applications, according to research done by Microsoft, a sponsor of the forum.

But businesses need to do better, said Dave Cullinane, chief information security officer of financial firm Washington Mutual in Seattle Wash. “If you have an application exposed to the Internet that will allow people to make money, it will be probed,” Cullinane said, and the consequences of being breached are not only financial but also damaging to the reputation of the company. “You will lose money; you will have problems. The reputation risk can literally put you out of business. Twenty percent to 45% of customers will leave you if you report a security breach.”

When buying commercial software for business applications, corporate customers need to find out what architectural procedures the vendor followed and how stringently the software has been tested for weaknesses that can be exploited, the panel said.

This software review should include finding out where software is written – whether it is outsourced to other companies – and what the security parameters these consultants follow, the panel said.

In addition, businesses should train their in-house application developers in writing secure code. If they have knowledge of security threats, they can defend against them when they write, the panel said.

In practice, very few companies do this, according to a survey of Fortune 1000 companies polled by the forum during seminars it held over the past year. Only 36% of those companies polled educate their software teams about security, and 30% said they have integrated security assurance programs in their software development process.

Panel member Caleb Sima, CTO of SPI Labs, agreed that education helps, but developers also need tools that flag potential flaws as the code is being written and can fix them automatically. The job of the developer should be to write applications that perform specified functions and accomplish the task in a set amount of time. They are not security experts, nor should they be.

Penny Lane, chief information security specialist for Visa in San Francisco, said developers don’t have a good picture of the realm of threats at all different layers of the network, so they have trouble conceiving of the types of threats they should guard against.

Justin Peavey, vice president of security architecture and engineering for State Street in Boston, said developers should write applications according to sound principles that isolate the areas of code that represent risk so if a flaw is found, only a few lines of code need to be rewritten to fix it. “If the threat is distributed throughout the code, then it’s impossible to find the vulnerability,” he said.

Once code is written, it should be tested for flaws. This task may have to be performed by specially trained staff because normal quality assurance testers don’t have the training to do the job, the panel said.