How can app developers solve a problem like insecure code?

The Cyber Security Knowledge Transfer Network urges greater security awareness among application developers, and it has some bold ideas for achieving it.

A government-funded body has laid out a battle plan to try to force an improvement in the way software is written, and recommends the formation of a new entity to raise security awareness among developers.

Recent research found that only 20% of university computer science courses in the UK devoted more than five hours to teaching security.
The Cyber Security Knowledge Transfer Network (KTN) says 75% of security breaches occur as a result of software flaws that could be avoided if software developers had a better understanding of security and of how hackers operate.

The KTN has produced a white paper that lays out 18 initial recommendations for raising the standard of software. These include participation from professional bodies and universities, and a requirement for software companies to document their approach to security and make it available for inspection by purchasers.

The KTN also proposes a new body that will act as a central first point of contact on all software security matters, and run much along the same lines as Get Safe Online, which provides security advice for the general public.

As the KTN members found, secure websites should be immune to SQL injection attacks, cross-site scripting and buffer overflows, but poorly written code is making it easy for malicious hackers to exploit these common problems. One reason this happens is that software developers receive virtually no training in secure coding, and fail to understand how hackers work.

Recent research found that only 20% of university computer science courses in the UK devoted more than five hours to teaching security.

John Harrison, who chairs the KTN's Secure Software Special Interest Group, said: "I don't blame the developers -- they are between a rock and a hard place. The market is also to blame -- customers don't understand the need for good security and are not clamouring for it."

Among its recommendations, the KTN is calling on professional bodies such as the British Computer Society and the Institution of Engineering and Technology to include secure software development in their academic accreditation and professional registration programmes.

Harrison said that some universities, such as Leeds, have run courses that expose undergraduates to the consequences of poor coding, which could set a good example to others. But the main challenge, he said, is to find an "owner" for the task; someone who could work full-time to pull together best practices and act as a central point of reference, as is the case with Get Safe Online.

This will require funding from either private industry or government, Harrison said, and the KTN is already in talks with a variety of bodies.

Specialists in the software testing world agreed with the KTN's analysis. Rob Rachwald, head of product marketing at Fortify Software Inc., said: "The key issue is that software security requirements have changed over the past few years -- and few have noticed. Software systems, built long ago before the Internet existed, are now exposed in ways never imagined just 10 years ago. Worse, education has failed to mature with the evolving threat so developers, QA and operations professionals remain inadequately familiar to deal with software security effectively."

Rachwald said developers were "hampered by an educational system that fails to train them in modern software security requirements and a business environment that stresses positive functionality as opposed to negative functionality such as 'abuse cases.'"

He said breach disclosures had raised awareness of the problem, as had new regulations, such as the Payment Card Industry's Data Security Standard (PCI DSS).

Bernd Leger, vice president of marketing for Veracode Inc., said much of the problem came about because companies were using code from outside (open source, Web services and outsourced development), mixing it with in-house code, and losing control as a result.

Added to that, there is a shortage of qualified people trying to hit a moving target. "Attackers are discovering new techniques every day," Leger said. "The threat environment moves faster than the code base, and this will always be the case given the nature of the application development cycle."

He agreed that PCI DSS and various standards had forced greater awareness of security, and forecast that security would soon become a selling point for products. "Software vendors are seeing the opportunity to leverage security as a competitive differentiator similar to what has happened with the automobile industry related to security features over the last 20 years."

Read more on Application security and coding requirements