Software producers work together to turn the tide on cybercrime

Cyber attacks that exploit security weaknesses in software and cost business millions through fraud, theft, downtime and recovery, are increasing in complexity and number.

Cyber attacks that exploit security weaknesses in software and cost business millions through fraud, theft, downtime and recovery, are increasing in complexity and number.

Security researchers say cybercriminals have organised into an underground economy to share skills and resources to create increasingly sophisticated attacks.

In the face of this onslaught, what are software producers doing to turn the tide and create a safe operating environment for legitimate business?

They too, it seems, are sharing skills and resources in an attempt to create increasingly secure code, but with attacks still prevalent, what are they doing and to what extent are they succeeding?

What the industry is doing

Lots of elements of co-ordinated response are already coming into place, said Steve Lipner, senior director of security engineering strategy at Microsoft.

The Industry Consortium for the Advancement of Security on the Internet (ICASI) and Safecode are key cross-industry initiatives that supporrted by Microsoft.

ICASI, set up in 2008 by six major software suppliers, provides a vehicle for cross-industry response to security issues that affect multiple platforms, said Lipner. "ICASI has been effective at responding to issues that have arisen."

In the area of secure development, Microsoft is also one of the founders of Safecode, which brings together seven software suppliers to co-ordinate and agree on best practices for building software securely.

"Safecode members are working together to articulate best practices and make them available to other suppliers, end-user organisations and governments worldwide," said Lipner.

When you look at the overall mission for Safecode, the goal is to help member companies learn from one another, share good ideas and get better at producing safe code, said Brad Arkin, director, product security and privacy at Adobe Systems. "They then produce deliverables in the form of white papers and technical resources that can help the industry at large benefit from this condensed knowledge from the member companies."

Holding cross-industry conversations about security is something Adobe is very much engaged in, and Safecode is one vehicle for doing this, said Arkin. "We learn so much in describing our process and then having other people ask why we do things the way we do."

The Building Security In Maturity Model (BSIMM), a cross-industry initiative also supported by Microsoft and several other big software suppliers, is another framework that allows Adobe to interact with lots of other companies and share ideas, said Arkin.

"Adobe also participates in things like the Open Web Application Security Project (OWASP) and less formal gatherings such as workshops at the RSA conference to share with other software companies what we are doing," he said.

Drivers for cross-industry collaboration

Cross-industry organisations have attracted just about all the major software suppliers, but many of them are competitors, so why are they so keen to collaborate?

The problem is simply too great for any one supplier to tackle effectively on its own, said Mike Reavey, director at the Microsoft Security Response Center.

"Microsoft is committed to community-based defence within its Trustworthy Computing initiative," he said.

But there are commercial reasons too, particularly for software producers like Microsoft, where many products are platform for many third-party applications.

"Having more secure software running on our platforms benefits our customers, and having our customers more secure is a win for Microsoft," said Lipner. Also, a safer internet will enable more internet use by reducing barriers to adoption, and that benefits Microsoft because its business is really on the internet today, he said.

"The internet is a community. It is in everybody's interest that every system and every product connected to the internet is as secure as possible, which is one of the main reasons you are seeing such a high level of cross-industry collaboration," said Lipner.

Industry coalescing around security

While there are several pockets of cross-industry collaboration around organisations drawn from a select number of suppliers, will there ever be a single co-ordinated response?

That may take some time, said Lipner, but the industry is definitely coalescing around the need for better security.

"We can do a lot by working together as we have done and building on the successes that we have had," he said.

There will be a movement towards a more cohesive framework at some point, but a single response may not necessarily be the way to go, said David Ladd, principal security program manager, trustworthy computing at Microsoft.

"There are a lot of things to agree about on things to do in the security space, but if you have a generic approach, it may be too generic to be effective in addressing some new type of security threat or challenge that might emerge, he said.

Ladd is, however, confident there will always be a situation where organisations have their own flavour or method of doing things.

This is true of Adobe, which has its own Secure Product Lifecycle (SPLC) despite the company's reference to Microsoft Security Development Lifecycle (SDL), says Arkin.

A lot of things are similar, but the software companies are different culturally, so it was a lot easier for Adobe to adapt elements of Microsoft's SDL that were a clear fit, he said.

"There were also places where we saw what they were achieving with the SDL that would not work for us and that we needed to do something different even though we needed the outcomes to be the same," said Arkin.

One of the most important things Adobe has learned from Microsoft is how to achieve executive-level buy-in to secure code development.

"It is a never-ending battle for mindshare with all the computing subjects in the company. But every obstacle I run into is something someone at Microsoft had to deal with in that past 10 years, so I can always get input on what they did to solve it," said Arkin.

Adobe has also adopted some of the secure coding tools used by Microsoft.

"Instead of having to develop the tools ourselves, we have been able to take some tools directly without modification and put them work internally," said Arkin.

In turn, Microsoft is looking to adapt elements of Adobe's SPLC training, which promotes competition between the software developers as an incentive to improve their secure coding skills, said Jeremy Dallman, security program manager at Microsoft.

"In Adobe's model, developers compete with each other for higher status. Microsoft does not have anything like that, and we are looking at it as a way of getting developers to think differently about security training."

Success through collaboration

Lipner said that through cross-industry collaboration on security software suppliers will share experiences and best practices, as well as information about what cybercriminals are doing.

"We are going to find ways to make software more secure, and we are going to do that better and faster [than the criminals] because that is key to our continued success in the industry," he said.

"It is not just our brains or Adobe's brains: it is the industry working together to protect customers. That is going to be very hard for anybody motivated by crime to stay ahead of," said Lipner.

Ladd said that while the software industry is making progress in establishing security as a neutral zone for co-operation among organisations that would ordinarily be competing with each other, there is room for growth in sophistication of how they interact.

Collaboration within the industry typically comes and goes in cycles, but right now more collaboration will make things better, said Arkin. "I could imagine a point where it becomes too much overhead and it is not worth it, but we are nowhere near that yet as an industry."

Arkin expects to see increasing collaboration as long as it is adding value. "There is a lot of great work ahead of us we have not yet done," he said.

But he also believes we are already seeing progress through cross-industry collaboration, because it is getting a lot harder for criminals to find ways to attack where organisations are using the right up-to-date technology. "There are a lot of environments where organisations can be very robust against attacks by making the right technology choices and using the right conservative approach in how they set things up," he said.

There will always be organisations that are using out of date technology and not taking appropriate precautions, said Arkin, but there has already been so much good work done for the very high end that there are a lot of benefits the lower end can tap into.

Read more on IT risk management