Security and the Application Development Process

1 2 Page 2
Page 2 of 2

Establishing an application security plan requires IT to identify the risk factors presented by the applications deployed and the users accessing them. IT executives should develop business application profiles (BAPs) and user application profiles (UAPs) to identify the security risks for all enterprise applications. IT executives should then address each of the security risk factors presented by those applications, and develop security-focused action plans to address each risk area. Likewise, development teams should understand the security plan and enforce it in their practices. Furthermore, the plan should also be audited by an external group on a frequent basis to verify compliance.

While one can assume that application development people are inherently motivated to produce their best work, it helps to make this an explicit part of their evaluation criteria to reinforce the desired behavior. This is similar to human resources issues encountered when an enterprise decides that reuse should be encouraged, although the cost to develop reusable components is hard to justify to project managers who don't reap the rewards directly. Likewise, the cost and effort to build secure systems must be factored into development plans and spread across the entire organization that will see the benefits, which are rarely visible at the project level. There must be a baseline level of security that covers the enterprise and is amortized to everyone. Higher levels of security can and should be charged back as needed to the appropriate lines of business (LOBs).

Essential, then, is a long-term view that explicitly ties development team compensation to meeting defined security goals. This is difficult in IT environments with high personnel turnover, so the alternative would be to make the link indirectly through product metrics like the Common Criteria that act as a proxy for secure code (that is, meet the metrics to make the bonus). In addition, development staff must have proper security training and other security staff ought to be involved in development projects throughout the life cycle. Proper staffing for security is critical, not only for development security initiatives but also for any enterprise.

Products and Services

The product dimension for security includes process management tools, testing tools, and other application development tools that offer project management support. These include enterprise development suites as well as project management solutions. Development suites should contain security controls to create security mechanisms or access standard security components. In addition, vulnerability assessment services and tools are available.

Some vendors maintain security assistance for developers. Microsoft Corp., for example, while often in the news for security vulnerabilities of its products, hosts the Microsoft Security Developer Center. This site contains various approaches to finding security code defects during the development process. Microsoft Press also published a book on the topic Writing Secure Code, Second Edition by Michael Howard and David LeBlanc.

IBM Corp., for its part, maintains information about secure coding including articles, education, events, and project information in its developerWorks Security section. Recent perusal of this source shows an extensive source of articles on security related to development of applications using CGI, cryptography, Java, Linux, macros, Web Services, Wi-Fi, and XML. In a regular column on the IBM site, "Secure programmer: Developing secure programs," David Wheeler of the Institute for Defense Analyses authors this first article that introduces the "basic ideas of how to write secure applications and discusses how to identify the security requirements for your specific application." Such sources can help developers begin to think about security in coding and provide baseline direction for addressing the knowledge challenge.

Firms such as Cigital, Inc., Guardent, Inc., HBGary, LLC and SecureSoftware, Inc. offer relevant services ranging from application reviews to managed security services with disaster recovery capabilities. Such organizations have experience addressing software security challenges in a variety of enterprises and typically bring tested approaches and methodologies for building secure software, including software architecture reviews and source code audits. Cigital and SoftwareSecurity experts wrote the book "Building Secure Software: How to Avoid Security Problems the Right Way" and in it assert that software is at the root of all common security problems.

In summary, writing secure code is an essential part of improving the overall technology security situation. However, preventative measures that can be taken in the development process are overshadowed by reactive measures executed after deployment. This mentality needs to change, and enterprises doing software development should embrace security requirements early and often in the software development life cycle.

RFG believes writing secure application code is an integral component of the overall enterprise security architecture. Unless application requirements are identified up front it is difficult for the development process to implement the required levels of security. The lack of application security requirements and associated poor security focus in the development process can cripple business application security leading to significant revenue loss and perhaps liability claims from anyone impacted by this oversight. IT executives should review application development processes and direct development teams to build in security, rather than consider it after the application deployment.

RFG analyst Ron Exler wrote this note. Interested readers should contact Client Services to arrange further discussion or an interview with Mr. Exler.

Copyright © 2004 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)