App developers finally securing code

On Aug. 14, IT security training and research authority SANS Institute will convene its inaugural set of exams for software developers seeking to attain its new secure coding certifications. The rise of such initiatives -- and increasing adoption of source code vulnerability scanning tools among internal software development teams -- are finally making a difference in overall applications security, some end users and industry experts contend.

According to Allan Paller, director of research for SANS, based in Bethesda, Md., large businesses have moved aggressively in the last 18 months to push their applications developers to incorporate security testing into almost every facet of their work.

As a result, he said, companies are finally beginning to realize significant applications security gains as developers become more careful and enlist new tools to drive vulnerabilities out of their code.

"There's no older question in security than when will developers finally figure out a way to eliminate buffer overflows, everyone has asked that at some time or another, the difference is that developers themselves have discovered that they have become targets," said Paller. "People traditionally haven't thought about designing applications with the idea that someone else would be attacking them, and that's been a major discovery."

It wasn't until roughly two years ago -- when more comprehensive systems software patching programs and the arrival of stronger intrusion prevention systems (IPS) pushed hackers to move their work to the applications level -- that developers were finally forced to face unwavering demands from management to clean up their code, said the expert.

The internal secure development initiatives that arose from those mandates are finally bearing fruit, he said.

"As soon as developers started thinking that someone would be trying to misuse everything they designed, things started to change, but it's taken time since it wasn't on their radar 18 months ago," said Paller. "Some people obviously started doing this work years ago, but it never became a trend until attackers came directly after the applications."

In addition to offering security training and certification tests for programming languages including .Net and Perl, SANS is working with 60 universities to inject secure coding programming into their software development curriculums.

Along with a more aggressive approach to security on the part of developers, Paller cited the arrival of more powerful applications code scanning tools as key to the recent improvements.

According to a research report published by Stamford, Conn.-based Gartner in May 2007, approximately 60 percent of all IT organizations will have made security vulnerability detection an "integral" part of their software development process in 2010.

By that time, an estimated 40 percent of organizations will have enlisted the help of a vendor marketing both source code scanning and Web application vulnerability testing tools, the research company said.

For organizations such as the United States Agency for International Development (USAID) -- an independent federal government agency that carries out economic and humanitarian efforts under guidance from the U.S. Secretary of State -- the work to improve development security goes slowly, said Bill Geimer, a program manger in the organization.