• United States




Entropy and the art of secure software development

Jun 09, 20154 mins
Application SecuritySecurity

Those who paid attention in science class should not be surprised by the almost daily deterioration in business information security. Entropy, the second law of thermodynamics, is defined by Merriam Webster as “the degradation of the matter and energy in the universe to an ultimate state of inert uniformity.” For some reason, many of those in the application development world seem to think they are not governed by the laws of thermodynamics. I would suggest otherwise.

Consider the following scenario: Acme corporation is developing a new web application. They have a well-defined software development life cycle function and follow development best practices. Their developers receive ongoing security training, and consider OWASP Top 10 in their development effort. They use a commercial tool for checking their code and conduct internal and external vulnerability testing. Any defects discovered are fed immediately back to the developers for resolution. They deploy their application in accordance with a defined change management process, with executive review and approval. Everything done, by the book, a model development operation. Once a version is done and tested, they immediately focus on the new functionality requested by marketing for version two.

In a static world, their “secure” application would pass additional vulnerability testing next week, next month and next year. Sadly, the information security world is anything but static, with the pace of deterioration increasing monthly. Examples of the changes that impact ongoing application security include:

  • Operating system patches and configuration changes on server and client
  • Browser changes
  • Discovery of previously unknown vulnerabilities
  • New hacking techniques

Some years ago, maintaining good information security was much like a chess match — relatively slow moving, and at least somewhat predictable. Now, it is more like running NORAD — a constant, rapid flow of new information that must be considered and addressed. Thus, if you are resting comfortably in the knowledge that your web application was secure last month, you are resting on an invalid assumption.

Software in general, and web applications in particular, must be continually evaluated and monitored. We cannot control the changes that occur, so we must make good security practices a continuous process.

The recent CareFirst breach serves as a great example of how not to ensure adequate ongoing information security. According to a report in CSO Online,  the vulnerability was first discovered in 2014, and was believed by company officials to have been resolved. Ten months later, they learned that they were wrong. The good news is that they apparently discovered the issue proactively, but they offset that success by failing to add the issue to their ongoing monitoring process.

Another timely example is the U.S. government breach reported this week. According to a New York Times article, they were warned about the vulnerabilities by the inspector general last year. They might have considered the vulnerabilities a low priority at the time, but once again entropy prevailed.

Until we accept as an industry that secure systems and networks are a rapidly moving target, we will continue to hear breach reports like that of CareFirst. We must succeed in integrating appropriate information security practices into our day-to-day operations. I would suggest the following ideas to help accomplish this:

  • Security monitoring must be someone’s daily focus. Larger organizations are creating security operations centers, which do for security what network operations centers do for network stability. Smaller organizations may not be able to afford such an operation, but this does not relieve them of the responsibility. They must dedicate someone to this, be it an employee or a vendor.
  • The security monitoring process must be dynamic, adapting to day-to-day changes in the threat landscape. The person or persons overseeing this must have time to read, study, and think, applying their findings to the monitoring process. An organization with the same person responsible for daily security monitoring and keeping up with threat intelligence and new discoveries is destined to failure.
  • Tools need to be part of the monitoring strategy. There are a wide variety of automated monitoring and testing tools available, and using some of them is essential to keeping up with changes in a cost-effective manner.
  • Automated tools cannot be installed and ignored. This may seem to contradict the above point, but both are true. Tools are important to the process, but no single tool can be assumed to be right and current all of the time. Some redundancy, either multiple tools or a single tool with human monitoring and testing, is essential to the process.

I confess that I have never read any books by William S. Burroughs, but one of my favorite quotes is attributed to him: “When you stop growing you start dying.”  We in the information security world must grow every day to keep up, because I can assure you that the hackers do.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author