Welcome to codesecurely.org Sign in | Help

codesecurely.org

Rudolph Araujo's ramblings on the world, my life, my work and oh yeah security!
Why Software Security Must Be Holistic

A few months ago, the software security folks at Microsoft put up a pretty insightful post on security trainings. Over the last few years I have had the opportunity to do a number of security assessments and I must agree that time and again, this fact has been reiterated for me. A lot of organizations and indeed developers make the mistake of thinking software security can be a silver bullet or shiny red easy button if you will. While we would love if that were the sadly, this is not the case. As Edmund Hillary who was the first man to climb Mount Everest, once said "There is no virtue in easy victory". While I don't think software security is that high a mountain to climb but by no means is it a quick fix either. Ultimately it takes a significant amount of time and effort, and really continuous improvement to make sure we are staying at the top of our game and keeping the bad guys out.

Software security is a function of your people, your processes and the technologies involved. Efforts must be made in all of those directions before true "zen" if you will can be achieved. One aspect no doubt about the people is having an informed and trained workforce. This includes your developers but also your testers, your architects, requirements specialists or business analysts, project managers and last but by no means the least your users.

Let me illustrate with an example. All too often when doing application testing we find cross site scripting problems in web applications. Typically, for illustration and documenting evidence we will use something simple like alert('XSS');. The idea being this is proof that the site is vulnerable to cross site scripting. Of course the recommendation goes on to suggest data validation and output filtering and such. Every once in a while when we get the application for retesting – the assumption being all the vulnerabilities (or at least some chosen subset of them) have been fixed – we will see something that shows why just doing security testing (or any one single software security activity) by itself is not enough. We see code that looks like this (in pseudo code):

...

if(input == "<script>alert('XSS');</script>") {

print "Invalid data";

exit;

}

...

 

As a security professional you cannot help but go "Aargh!". But then when you step back and think you realize we are not backing the security testing with training and awareness, policies and processes.

I really think this is where as an industry we have failed. We like selling silver bullets to our customers – "hey buy my product and its all you need" or "buy my services and you will need nothing else". Same goes for things like security industry conferences – there must be more focus on all aspects of software security not just the I found a new security bug or as has been happening more recently – I found an old bug but I am going to give it a new name ;). Of course I know it makes it a harder sell but I think therein lies the challenge. Just like there are many aspects to staying healthy e.g. genetics, food habits, exercise …, similarly with keeping our applications healthy so to speak.

 

P.S. In a future post I will discuss how to setup a software security training program that is both effective and helps keep the costs down by using people's time efficiently.

P.P.S. I plan to expand on the general "Software Security – A Holistic View" on this blog with other aspects that should be critical components of a effective and efficient software security program.

Posted: Monday, August 13, 2007 9:33 PM by rudolph

Comments

New Comments to this post are disabled