Thursday, October 3, 2013

Put down the chips and go for a walk if you really want more secure software!

There are many ways to find and deal with software security bugs.  A significant difference between them involves the point at which they are employed in the software development lifecycle.  It’s similar to the different ways we treat human illness, like heart disease, which also differ based on the timing of their use.

If a person has heart disease, a doctor may recommend surgery to repair the damage.  Bypass surgery can repair damage and reduce the risk of death, but it’s not easy: the procedure lasts 4-5 hours and the heart is generally stopped for about 30-90 minutes while repairs are done via a 6-8 inch chest incision!

A better bet is to treat before disease ever strikes.  Special blood tests can be used to discover elevated levels of bad cholesterol, perhaps allowing the patient to take drugs that can reduce those levels before they have a chance to cause heart disease.  But these drugs take years to develop and test, they can be very expensive, and they require specialized ongoing care and lab monitoring while in use.  Hardly a simple remedy!

Earlier still, education about nutrition and exercise, and adopting a healthier lifestyle can help prevent bad cholesterol levels from becoming elevated in the first place, thus avoiding heart disease altogether.  It’s cheap, easy, fun, and anyone can do it with no specialized training!  And today, there are more ways than ever for health professionals to get people to adopt these preventive measures.  Think about the FitBit; a seemingly simple little thing, but which uses some very clever tech to encourage folks to do the right thing for their health.

Now, no health professional would claim that any of these three approaches are unnecessary.  They are all a matter of timing and of the individual patient.  Nutritional education alone cannot “cure” heart disease in a patient who already suffers from it.  And surgery would never be recommended for a healthy patient with no heart disease.  The trick is to employ the approach that comes at the lowest cost, has the lowest risk to the patient, requires the least specialized delivery, and has the highest likelihood for success.   

Software security bugs can be viewed in a similar way.  If a security bug is discovered in a deployed application, the developer can create a patch and distribute it to their customers.  It repairs the damage (hopefully - and hopefully without causing other damage) but it’s expensive, difficult, damaging to the business, damaging to the developer’s reputation, and still may only be a “patch” that can’t guarantee that more bugs won’t be found in the future.

Clearly, it’s better to find issues before the application is ever released.  Software security assessments (static and dynamic analysis, e.g.) in the development cycle can discover the bug, allowing the developers to repair the issue.  This beats patching a shipped product, of course, but it’s not without problems.  It’s heavyweight and requires the code to be nearly complete and running – which is especially problematic with greenfield development.   In the case of dynamic analysis, non-web applications get left out entirely. All of this can mean delayed projects, complex code rewrites to implement a fix, and tools that are extremely costly and complex to manage.

So in software development, what’s the equivalent of lifestyle change?  What’s the anti-SQL Injection version of diet and exercise?  The FitBit of software security?  Something that is effective from the moment you write the first line of code, works in seconds, and requires no special training?  One answer is Cigital SecureAssist.  SecureAssist is a lightweight IDE plugin that points out common security vulnerabilities in real time as the developer is coding.  It reduces risk by delivering actionable guidance in context based on Cigital’s industry-leading experience and the developer’s organization’s own security frameworks and policies.   Like healthy lifestyle changes in disease prevention, SecureAssist can be used to reduce risk by pointing out opportunities to “build security in” when the code is being written in the first place.

As with medicine, your selection of a security approach needs to consider lowest cost, lowest risk, ability for everyone (even without special security training) to use it, and highest likelihood for success.  Addressing a bug after it’s been released is obviously the least appealing – it’s the open heart surgery of the bug-fixing world.  Pre-launch discovery of a bug is something like cholesterol testing and drug remedies with labs to staff with specialists, massive R&D costs to develop drugs, and the risk of potential side effects.  But the lowest cost, lowest risk approach that can be done by anyone without any special training is SecureAssist.

Now, go out there and get your software healthy by starting a free 30 day trial of SecureAssist at - and while it’s downloading, maybe go out for a walk and eat some kale!

Wednesday, September 18, 2013

My new gig; still making hard things easy

I’m a software guy and I've loved working with developers for 20 years now.   My entire career has been about helping software developers be more successful by making hard things easy.  In the 90’s, creating dynamic web applications was difficult and out of reach for many developers: when I worked for Allaire (later Macromedia/Adobe), ColdFusion changed that.  In the middle of the last decade, developers struggled to create rich internet applications in a way that fit their development style: when I worked at Macromedia/Adobe, Flex changed that.  At Atlassian, the target was the whole software development lifecycle.  Unifying planning, issue tracking, source code management, and build engineering was incredibly complex: and when I worked there, great products like JIRA, Bamboo, Greenhopper, Fisheye & Crucible changed all that.  And at Microsoft, the goal was moving ISVs to the cloud where they could grow faster and better than ever. 

But there’s one thing that’s still too hard, yet incredibly important: making software secure.  Hardly a day goes by when you don’t hear about some malicious hacker bringing down a website, or a vulnerability putting someone’s entire business at risk.  Yet when I ask developers what they do about security, I generally get a shrug.  “I know it’s important and I do what I can, but I’m no expert.” 

On the other end of the spectrum, developers who work in financial services or other regulated industries groan and roll their eyes and say, “I hate dealing with the security team!”  Late security audits reveal issues long after the time when they’re most easily addressed and create a bottleneck to ever actually getting the thing out the door. 

The more we rely on software to run our world, the more we need to be confident that it’s safe – but the higher the need for security, the more onerous the burden for developers.  It’s another hard thing, and I'm now part of a team whose goal is to make it easy!

Cigital Inc. (, where I've joined as VP of Product Management, was established in 1992 with funding and contracts from DARPA and NASA.  Today they’re the world’s largest consulting firm specializing in software security.  Twenty years of research and thousands of successful software security consulting engagements at leading public and private organizations throughout the world have generated a lot of expertise, as you can imagine.  So what if you could take that knowledge and experience and put it into products to help developers design, build, and maintain secure software?  Well, that’s just what I’m here to do.

We have several products already, the most important of which is “SecureAssist.”  It’s an IDE plugin that can help you identify and fix security issues in your code before it even goes to a security team for review.  No security team?  SecureAssist is like peer programming with a security guru – you don’t need to know an SQL injection from a buffer overflow, SecureAssist will spot an issue in your code and help you fix it yourself.

Of course, just finding security issues isn’t much use if you don’t become better at writing secure software (you know, the whole “teach a man to fish” thing).  While SecureAssist shows you where your code may be vulnerable and suggests a way to fix it, we also provide the industry’s best and most comprehensive security training for developers.  With hundreds of security experts on staff, we have access to the best subject matter experts anywhere.  And we’ve taken their knowledge and delivered it in scores of eLearning modules.  Topics like “Defensive Programming for Javascript and HTML5,” “Foundations of iOS (or Android) Security,” or “Architecture Risk Analysis” can get your whole team up to speed on the fundamentals (and advanced topics) in creating secure software.  We can also do instructor-led training.  Order a stack of pizzas, a couple liters of Dr. Pepper, and let the good times roll!

And really, that’s just the start.  I’m excited to get back out there and talk to you about other products and services we’re developing, other ways in which we can ease the process of keeping your software secure – while still fitting in with the way you work.

Cigital isn’t a bunch of security people trying to tell developers what to do.  We’re a bunch of developers who care about helping other developers get better at making great apps: apps that are beautiful, useful, and safe.  That’s what ultimately made me want to join this team.  Security is hard, but it’s really important.  Let’s make it easier.