Cyber security has been a key topic at this week’s DeveloperWeek conference in San Francisco. However, according to Tripwire cyber security and software development experts, many software development organizations haven’t fully integrated security into their development process. To aid software development organizations, Tripwire compiled the top three mistakes made during secure software development.
According to Bob Loihl, senior software engineer and secure software development expert for Tripwire, most development teams make the following key errors when they try to incorporate security into their development process:
- Bolting security on at the end of a project. Have a security plan from the beginning, because this enables a secure architectural and design approach and makes it easier to safeguard all aspects of the code as it is created. This is particularly important in today’s threat environment as software users expect developers to provide secure offerings.
“When you defer crosscutting security work on a subsystem of your project, you will end up reworking and retesting a large part of the system later,” said Loihl. “You can definitely put off something like logging because it is a concern across the codebase, but if you put off implementing access controls in the system because it’s hard and expensive, it’s an indicator that you have missed or downplayed important project requirements.”
- Failing to take advantage of secure software development tools and expertise. Resist the temptation to “roll your own” security in software, particularly when it comes to authentication models, encryption and other complex functions. Leverage the work of others who have developed proven, validated secure code and processes to increase your confidence in the security of your project.
“With so many resources available today – from static code analysis to pen testing – there’s no excuse for not understanding the security profile of a product before it ships,” said Loihl. “In addition, there are good organizations out there like OWASP, SAFECode, BSIMM and others that can help you understand how to build out a security program.”
- Inheriting other developers’ security mistakes by using faulty library components. Make sure you know the origin of the libraries you use as well as the code you incorporate from other sources. Do your research to determine what security validation, threat modeling and other assurances have been applied to any third-party code you leverage in your products.
“Bringing in third-party libraries and frameworks is a risky operation in terms of security and defect exposure,” noted Loihl. “Outsourcing development does not absolve you from due diligence or testing the code you are using. The recent CWE-502 issues with Java RMI deserialization and Apache Commons Collections are good examples of this — having the library on the class path exposed an issue, even if the class that had the issue had never been used.”
Ultimately, Tripwire’s experts believe developers should not rely on “security through obscurity.” Some developers either hide their implementations of security or believe that a very complex implementation will help make their products more secure. In fact, the opposite is true: Effective security implementations will stand up to peer review and outside scrutiny when they are built on proven security approaches. Peer review is a cornerstone of good security; it increases the likelihood you can discover and address security weaknesses before you ship your software.
“Unfortunately, many software development teams are still trying to address security at the end of their process,” said Dwayne Melancon, chief technology officer and vice president of research and development for Tripwire. “This approach doesn’t work. To be effective, security needs to be baked into the entire process, from planning through deployment to usage.”
Loihl added: “Anyone who has lived through a breach or received surprising results from penetration tests right before a product is scheduled to ship knows how painful it is to add security in at the end of the development cycle. Today, developers face increased pressure to understand security issues and how they apply in their environments because of Internet of Things devices and pervasive computing environments. This can seem like a big investment, but the costs of doing it right the first time are much lower than responding to crises.”