The Computer Weekly Developer Network blog ran a piece recently entitled “What can software application developers expect from InfoSec?” — which, if anything was an open invitation for additional commentary on this subject.
There was (arguably) a fair slice of vendor stuff and nonsense flying around at the InfoSec show itself with free T-shirts, jelly beans and so-called ‘booth babes’ slathered around like they were all going out of fashion. So as a result, we find some of the better commentary coming out in the wash a short while after.
Raimund Genes is chief technology officer with Trend Micro and he his team have answered some of the unanswered points and direct questions posed in the initial story we ran on the subject of developer issues at the security coalface.
At what stage should software application development projects identify and classify their security/encryption/protection quotient and set out a concrete IT asset management “place at the table” for this element?
Raimund Genes — “As soon as possible — applications need to be designed with security in mind. A lot of attacks are due to application vulnerabilities, not just OS vulnerabilities anymore. Microsoft really has stepped up the OS patching, but how often do they patch the applications? We see a lot of targeted attacks using known vulnerabilities, for example in Adobe PDF and Flash. What is worrying is the fact that especially with mobile applications, the turnaround is very fast. This, combined with an open Application Market is the perfect storm – look at Android. At Trend Micro, we predict that 130,000 devices will be affected by Android malware by the end of this year.”
As security is “architected in” to a software development project, how does the responsibility for its ownership transition from software architect to developer to IT asset manager and onwards?
Raimund Genes — “It does not only need to be architected into the software development project, it needs to be architected into the complete lifecycle/ecosystem of a software development process. During development, things like how patches will be deployed, how the software could “self defend” with watchdog modules, integrity checks etc., all need to be defined. The IT asset managers, the buyers, should start to demand safe software — this would make all of our lives easier! Or they should promote closed ecosystems – Apple is a great example. The individual components are not more or less secure than other vendors, but combining it all together into an ecosystem – where the vendor delivers the hardware, software and app store – means really tight control!”
How can open source community contribution model engagement help aggregate malware risk awareness and how can that be engineered into software products in production and postproduction?
Raimund Genes — “Open source is great, as many people look at the source code. Security by obscurity never worked! And with open source software you could alter it, recompile it, so it is not a monoculture anymore – which is good news short-term. However, it can cause issues with patching and updates – see Android again. Properly engineered into software, open source enables code review by multiple developers, constant checks moving forward, an architect team with veto rights… and so on.”
How should software developers be “tutored” into security awareness at all levels? For example, if developer A is a user experience GUI specialist and developer B is a graphics rendering guru, then neither probably stop and think about security too much — but as all data represents risk and all risk is the concern of security, how should the “security mandate” be proliferated throughout all stakeholders in the software application development lifecycle?
Raimund Genes — “They all need to be trained on security one-on-one, and how to use safe coding practices and watchdogs like Canary Value, for example. There are safe coding practices out there, but laziness, the “I don’t care” mentality, and timeline pressures, combine to kill the security-mindedness of a lot of projects. Developers need to understand that their work lives on. If they don’t get the security right now, they will need to deal with security breaches afterwards, and they will be producing patches to fix vulnerabilities late into the night! We need to give them more time for better coding, and we need to promote this attitude. Security should be the first consideration, not the last. Customers need to understand that paying for better coding will ultimately cause them fewer issues, but we need a change in mindset for this.”