Discover PerformanceHP Software's community for IT leaders // March 2012
Get developers thinking security in four steps
Security is already the apps team’s problem, so it’s time to enable them to create secure code from the get-go. Start here.
Most enterprise developers pay less attention to security issues than to functional and performance requirements. But they almost always end up dealing with security—after the security team or end users find problems. The CIO and VP of Applications see their costs rise and deployment slow as developers spend hours or days in rework mode, while the application is not out there driving potential revenue for the business. And that’s the upside. The consequences can be far worse when vulnerabilities surface after release.
Rather than approach security reactively, leading IT organizations are empowering developers to build in security during the application development process. Software security assurance (SSA) is a holistic approach that helps apps teams to build apps that are more secure and that get to market faster, allowing the security team to focus more on perimeter security.
Here’s the four-step start to motivating and enabling your team to develop secure applications.
Step 1: Educate
First, build awareness about why SSA is important. It’s not just another responsibility to add to developers’ workloads; it’s fundamental to developers doing their jobs better, and it saves them—and the entire enterprise—time and money later.
Next, seek out workshops, conferences, certifications, and seminars from educational organizations such as the SANS Institute. Web app teams can benefit from specialized training and networking opportunities from organizations such as the Open Web Application Security Project (OWASP), which offers guidance and a knowledge base for how to address web app security issues. Developer’s love to learn, and there are many resources available to help them.
Step 2: Assess risk and prioritize
You can’t transform app security overnight, so focus your efforts wisely. Ask these questions:
- What’s the status of your current apps? Which, if any, have been security tested or assessed by an outside organization?
- Which of your apps are subject to compliance rules or government regulation?
- Which apps are top priority, security-wise, for the business? Where might there be high risk to customer data, satisfaction or loss of revenue?
Step 3: Design a process
Allow for the gathering, management and tracking of security requirements, just as you track any other type of requirement. If you are using an ALM tool for requirements definition and management, create a template for security requirements or user stories, share it among teams and make it part of the project scope or iteration. It’s also important to institute threat modeling. Consider having coders write user stories that capture what the user—in this case, the hacker—wants to accomplish. “As a hacker, I want to attack HTTPS by injecting malicious Java script libraries into a browser cache.” After ranking potential threats, developers will follow the same “design, code, test” process. But in this case, they will eliminate potential vulnerabilities instead of just adding functionality.
The Open Software Assurance Maturity Model (OpenSAMM) has additional best practices for how to integrate software assurance into the design process.
Step 4: Begin to integrate the right tool sets
At some point, you’ll want to start integrating tool sets to facilitate SSA. Look for solutions with the following features:
- Static analysis tools, which you will use during development to find issues in source code as part of the build process.
- Dynamic analysis tools, which will attack the application using techniques a hacker might employ and uncover vulnerabilities.
- A management framework and application governance capability to help you manage a program around testing. You’ll need a tool that can both aggregate testing results and manage issue remediation.
- Integration of your security tools and their metadata into your ALM environment so that security requirements and defects can be managed as part of the milestone progress or iteration/sprint deliverables.
The security team needs to free up time to focus on perimeter security, where hackers are targeting an increasing number of attacks. That’s possible only when the apps team is empowered to ensure code security from the start. For more information on getting started with software security assurance, read Fortify’s “Why Software Security Assurance?” page.
Diving into disruptive technology trends like cloud, mobile, and Big Data, HP’s CEO talks about moving not just IT, but the whole enterprise, into a new era.
Dig into strategic trends with our new Discover Performance Weekly video series, and go backstage at events like RSA.