App developers finally securing code

Businesses increasingly are adopting scanning tools, security testing to decrease source code vulnerability

On Aug. 14, IT security training and research authority SANS Institute will convene its inaugural set of exams for software developers seeking to attain its new secure coding certifications. The rise of such initiatives -- and increasing adoption of source code vulnerability scanning tools among internal software development teams -- are finally making a difference in overall applications security, some end users and industry experts contend.

According to Allan Paller, director of research for SANS, based in Bethesda, Md., large businesses have moved aggressively in the last 18 months to push their applications developers to incorporate security testing into almost every facet of their work.

As a result, he said, companies are finally beginning to realize significant applications security gains as developers become more careful and enlist new tools to drive vulnerabilities out of their code.

"There's no older question in security than when will developers finally figure out a way to eliminate buffer overflows, everyone has asked that at some time or another, the difference is that developers themselves have discovered that they have become targets," said Paller. "People traditionally haven't thought about designing applications with the idea that someone else would be attacking them, and that's been a major discovery."

It wasn't until roughly two years ago -- when more comprehensive systems software patching programs and the arrival of stronger intrusion prevention systems (IPS) pushed hackers to move their work to the applications level -- that developers were finally forced to face unwavering demands from management to clean up their code, said the expert.

The internal secure development initiatives that arose from those mandates are finally bearing fruit, he said.

"As soon as developers started thinking that someone would be trying to misuse everything they designed, things started to change, but it's taken time since it wasn't on their radar 18 months ago," said Paller. "Some people obviously started doing this work years ago, but it never became a trend until attackers came directly after the applications."

In addition to offering security training and certification tests for programming languages including .Net and Perl, SANS is working with 60 universities to inject secure coding programming into their software development curriculums.

Along with a more aggressive approach to security on the part of developers, Paller cited the arrival of more powerful applications code scanning tools as key to the recent improvements.

According to a research report published by Stamford, Conn.-based Gartner in May 2007, approximately 60 percent of all IT organizations will have made security vulnerability detection an "integral" part of their software development process in 2010.

By that time, an estimated 40 percent of organizations will have enlisted the help of a vendor marketing both source code scanning and Web application vulnerability testing tools, the research company said.

For organizations such as the United States Agency for International Development (USAID) -- an independent federal government agency that carries out economic and humanitarian efforts under guidance from the U.S. Secretary of State -- the work to improve development security goes slowly, said Bill Geimer, a program manger in the organization.

Trying to improve the security of applications development spread across the globe is no easy task, he said, but with the help of some new tools the effort is making headway.

"We don't have the software development budget of or eBay, it's an incremental process, but we've found that developers are responding more positively to security assessment reports than we had originally imagined," Geimer said.

"When it comes down to it, these people don't want to develop insecure code or get their Web sites defaced," he said. "The first phase is to fix issues before they reach production, and to do that we're trying to drive secure tools and methods into their hands."

One of the technologies USAID is arming its developers with is Atlanta-based SPI Dynamics' Assessment Management Platform (AMP), used to track and measure Web applications security risks.

Brian Cohen, chief executive of SPI, said that his company has been trying to sell its applications testing tools to developers for over two years, but he has only seen adoption begin to grow significantly since mid-2006.

Prior to that time, the only consistent demand for the technology came in the form of partnerships with software development platform providers including IBM, Mercury and Microsoft, he said.

"The message just didn't resonate with end users unless it was something built directly into one of the popular development platforms," Cohen said. "Now we're finally seeing more development groups ask for this technology for themselves; at a high level, organizations would prefer just to block vulnerabilities after the fact, but they've finally learned that they can't afford to maintain that type of approach."

Despite the growing predisposition toward the use of secure development automation tools among businesses, the ages-old question of what types of problems should be handled by software designers -- and which should be tackled by IT security specialists, remains a stumbling block, according to the executive.

"There's still a lack of understanding among security workers and development teams as to who is responsible for what," said Cohen. "But hopefully we'll see experience and education lead to new progress in that area as well."

Mike Weider -- founder and chief technology officer at rival Web application security testing tools vendor Watchfire, Waltham, Mass. -- said that targeted attacks against online transactional and customer service systems at retailers and financial services companies have served as a wakeup call.

With the fear of having their Web sites hacked and facing sharp criticism from regulators and customers when things go wrong, companies are finally embracing vulnerability testing applications designed specifically for use by developers, he said.

In mid-April, Watchfire added features in its new AppScan 7.5 release aimed specifically at users in the development realm of Web applications quality assurance.

Tired of paying high-priced consultants to ferret-out vulnerabilities on a cyclical basis, more large organizations than ever are creating security testing teams within their software development departments, he said.

"Many of these companies have thousands of applications and developers, and only small teams of security professionals available to do all the work necessary to track and remove all the errors, so security teams are reaching out to development to take on some of this daunting workload," said Wieder. "Everyone from the government to financial services firms and retailers are looking at the regulatory environment and seeing the writing on the wall in terms of being forced to take responsibility for breaches; this is pushing the work down to developers who are creating demand for new tools."

At least one Watchfire customer said that the availability of such security testing technologies is allowing it to make headway in instilling new secure coding practices among its developers.

"We used to hire a third party to do vulnerability assessment of production level code, then we would report their findings to the business units, and unless something was high-level it would just get put on a release schedule," said Ethan Stieger, chief security officer at automotive market intelligence firm Polk Global Automotive, based in Southfield, Mich.

"This technology allows us to fix things when they're being developed, which is the right way to do things, if you wait until production, that's a lot more invasive in environment, and the security issues are exposed to the outside world," he said. "We're still tying to sell this effort internally, but now we can do so on the commercial value of keeping potential attacks at bay."