There are many ways to find and deal with software security
bugs. A significant difference between
them involves the point at which they are employed in the software development
lifecycle. It’s similar to the different
ways we treat human illness, like heart disease, which also differ based on the
timing of their use.
If a person has heart disease, a doctor may recommend
surgery to repair the damage. Bypass
surgery can repair damage and reduce the risk of death, but it’s not easy: the
procedure lasts 4-5 hours and the heart is generally stopped for about 30-90
minutes while repairs are done via a 6-8 inch chest incision!
A better bet is to treat before disease ever strikes. Special blood tests can be used to discover
elevated levels of bad cholesterol, perhaps allowing the patient to take drugs
that can reduce those levels before they have a chance to cause heart
disease. But these drugs take years to
develop and test, they can be very expensive, and they require specialized
ongoing care and lab monitoring while in use.
Hardly a simple remedy!
Earlier still, education about nutrition and exercise, and
adopting a healthier lifestyle can help prevent bad cholesterol levels from
becoming elevated in the first place, thus avoiding heart disease
altogether. It’s cheap, easy, fun, and
anyone can do it with no specialized training!
And today, there are more ways than ever for health professionals to get
people to adopt these preventive measures.
Think about the FitBit; a seemingly simple little thing, but which uses
some very clever tech to encourage folks to do the right thing for their
health.
Now, no health professional would claim that any of these
three approaches are unnecessary. They are all a matter of timing and of the
individual patient. Nutritional
education alone cannot “cure” heart disease in a patient who already suffers
from it. And surgery would never be
recommended for a healthy patient with no heart disease. The trick is to employ the approach that
comes at the lowest cost, has the lowest risk to the patient, requires the
least specialized delivery, and has the highest likelihood for success.
Software security bugs can be viewed in a similar way. If a security bug is discovered in a deployed
application, the developer can create a patch and distribute it to their customers. It repairs the damage (hopefully - and
hopefully without causing other damage) but it’s expensive, difficult, damaging
to the business, damaging to the developer’s reputation, and still may only be
a “patch” that can’t guarantee that more bugs won’t be found in the future.
Clearly, it’s better to find issues before the application
is ever released. Software security
assessments (static and dynamic analysis, e.g.) in the development cycle can
discover the bug, allowing the developers to repair the issue. This beats patching a shipped product, of
course, but it’s not without problems. It’s
heavyweight and requires the code to be nearly complete and running – which is especially
problematic with greenfield development. In the case of dynamic analysis, non-web
applications get left out entirely. All of this can mean delayed projects, complex
code rewrites to implement a fix, and tools that are extremely costly and
complex to manage.
So in software development, what’s the equivalent of
lifestyle change? What’s the anti-SQL
Injection version of diet and exercise?
The FitBit of software security?
Something that is effective from the moment you write the first line of
code, works in seconds, and requires no special training? One answer is Cigital SecureAssist. SecureAssist is a lightweight IDE plugin that
points out common security vulnerabilities in real time as the developer is
coding. It reduces risk by delivering
actionable guidance in context based on Cigital’s industry-leading experience
and the developer’s organization’s own security frameworks and policies. Like
healthy lifestyle changes in disease prevention, SecureAssist can be used to
reduce risk by pointing out opportunities to “build security in” when the code
is being written in the first place.
As with medicine, your selection of a security approach
needs to consider lowest cost, lowest risk, ability for everyone (even without
special security training) to use it, and highest likelihood for success. Addressing a bug after it’s been released is
obviously the least appealing – it’s the open heart surgery of the bug-fixing
world. Pre-launch discovery of a bug is
something like cholesterol testing and drug remedies with labs to staff with
specialists, massive R&D costs to develop drugs, and the risk of potential
side effects. But the lowest cost,
lowest risk approach that can be done by anyone without any special training is
SecureAssist.
Now, go out there and get your software healthy by starting
a free 30 day trial of SecureAssist at http://www.cigital.com/products/secureassist/
- and while it’s downloading, maybe go out for a walk and eat some kale!