A group made up of Government, industry and universities is aiming to pull together ideas on best practice for secure coding. The results of their work will play a role in developing a new pan-European standard.
We really don't think security is being taken seriously enough in software development.
directorCyber Security Knowledge Transfer Network
The group met last week under the auspices of the Cyber Security Knowledge Transfer Network (KTN) to exchange ideas on how security can be better integrated into coding practice. The meeting followed research carried out by the KTN which revealed that only 20 percent of students taking University courses in IT received more than five hours of teaching about security.
"We really don't think security is being taken seriously enough in software development," said Nigel Jones, KTN director. "I don't blame the developers themselves, It's just that they've not been trained to take security into account."
He said there was a need to change behaviour and "to get software developers to think about security and not simply the groovy functionality."
Jones said last week's meeting revealed little agreement on what constitutes best practice with each organisation tending to do things their own way without reference to any outside standard or guideline.
"No software development standard exists at the moment," he said. "The BSI (British Standards Institute) is working with its European equivalents on it and hopes to produce something by October."
The KTN will be writing a white paper on the subject by mid-June, and Jones said this would form the basis of the BSI's contribution to an EU standard.
Jones said the research so had raised "more questions than answers" but that the KTN would attempt to bring together the best of how companies operate now, to create a best-practice set of guidelines. "We have little islands of people doing better than others, but little going on to share that. In keeping with our goal of knowledge transfer, we are trying to make that explicit, and trying to find out the commonalities," he said.
"We're not just not looking at the coding itself, but also at the environment in which it is coded, how people capture security requirements during the design phase, or in procuring software, how will they capture security as a requirement that someone could deliver against."
Successive research studies have shown over the last year that hackers are increasingly attacking vulnerabilities in applications, using such techniques as SQL injection and cross-site scripting to compromise systems. Better coding standards would do much to block such attacks.
But some experts think that most vulnerabilities are due to sloppy coding practice. For instance, Avi Douglen, a security specialist with the consultancy Comsec, said: "If the programmer follows basic computer science principles you eliminate 80% of the vulnerabilities. Encapsulation and validation are all things that I learned way back in University."
His advice to developers was: "Foremost, never trust input. Some developers will often validate data from a user, but they trust what comes from a database or a file."
The meeting of the KTN identified two main areas where a better understanding of security would help developers. The first was to reduce the number of flaws that could be exploited maliciously, such as buffer overflows. The second focused on vulnerabilities caused by poor security design, such as weak authentication.