Thursday, October 3, 2013

Put down the chips and go for a walk if you really want more secure software!

There are many ways to find and deal with software security bugs.  A significant difference between them involves the point at which they are employed in the software development lifecycle.  It’s similar to the different ways we treat human illness, like heart disease, which also differ based on the timing of their use.

If a person has heart disease, a doctor may recommend surgery to repair the damage.  Bypass surgery can repair damage and reduce the risk of death, but it’s not easy: the procedure lasts 4-5 hours and the heart is generally stopped for about 30-90 minutes while repairs are done via a 6-8 inch chest incision!

A better bet is to treat before disease ever strikes.  Special blood tests can be used to discover elevated levels of bad cholesterol, perhaps allowing the patient to take drugs that can reduce those levels before they have a chance to cause heart disease.  But these drugs take years to develop and test, they can be very expensive, and they require specialized ongoing care and lab monitoring while in use.  Hardly a simple remedy!

Earlier still, education about nutrition and exercise, and adopting a healthier lifestyle can help prevent bad cholesterol levels from becoming elevated in the first place, thus avoiding heart disease altogether.  It’s cheap, easy, fun, and anyone can do it with no specialized training!  And today, there are more ways than ever for health professionals to get people to adopt these preventive measures.  Think about the FitBit; a seemingly simple little thing, but which uses some very clever tech to encourage folks to do the right thing for their health.

Now, no health professional would claim that any of these three approaches are unnecessary.  They are all a matter of timing and of the individual patient.  Nutritional education alone cannot “cure” heart disease in a patient who already suffers from it.  And surgery would never be recommended for a healthy patient with no heart disease.  The trick is to employ the approach that comes at the lowest cost, has the lowest risk to the patient, requires the least specialized delivery, and has the highest likelihood for success.   

Software security bugs can be viewed in a similar way.  If a security bug is discovered in a deployed application, the developer can create a patch and distribute it to their customers.  It repairs the damage (hopefully - and hopefully without causing other damage) but it’s expensive, difficult, damaging to the business, damaging to the developer’s reputation, and still may only be a “patch” that can’t guarantee that more bugs won’t be found in the future.

Clearly, it’s better to find issues before the application is ever released.  Software security assessments (static and dynamic analysis, e.g.) in the development cycle can discover the bug, allowing the developers to repair the issue.  This beats patching a shipped product, of course, but it’s not without problems.  It’s heavyweight and requires the code to be nearly complete and running – which is especially problematic with greenfield development.   In the case of dynamic analysis, non-web applications get left out entirely. All of this can mean delayed projects, complex code rewrites to implement a fix, and tools that are extremely costly and complex to manage.

So in software development, what’s the equivalent of lifestyle change?  What’s the anti-SQL Injection version of diet and exercise?  The FitBit of software security?  Something that is effective from the moment you write the first line of code, works in seconds, and requires no special training?  One answer is Cigital SecureAssist.  SecureAssist is a lightweight IDE plugin that points out common security vulnerabilities in real time as the developer is coding.  It reduces risk by delivering actionable guidance in context based on Cigital’s industry-leading experience and the developer’s organization’s own security frameworks and policies.   Like healthy lifestyle changes in disease prevention, SecureAssist can be used to reduce risk by pointing out opportunities to “build security in” when the code is being written in the first place.

As with medicine, your selection of a security approach needs to consider lowest cost, lowest risk, ability for everyone (even without special security training) to use it, and highest likelihood for success.  Addressing a bug after it’s been released is obviously the least appealing – it’s the open heart surgery of the bug-fixing world.  Pre-launch discovery of a bug is something like cholesterol testing and drug remedies with labs to staff with specialists, massive R&D costs to develop drugs, and the risk of potential side effects.  But the lowest cost, lowest risk approach that can be done by anyone without any special training is SecureAssist.

Now, go out there and get your software healthy by starting a free 30 day trial of SecureAssist at http://www.cigital.com/products/secureassist/ - and while it’s downloading, maybe go out for a walk and eat some kale!


No comments:

Post a Comment