"

If you are a software tester, programmer, or manager, you probably know that developing secure software is no longer simply desirable-it's completely essential. 

Some might assume that most security problems arise from the operating system or networking layers, well below the application code they are working on.  However, figures for Web-based applications show that over three-quarters of security exploits arose from applications (see Table 1).[1]

So, you know you need secure code, but how to get there? What are your security risks?  What security failures and bugs do you have?  What do these security risks, failures, and bugs mean?  How can you reduce security risk in a way that doesn't create new problems?  How do you monitor my progress over time?  This article will outline seven steps that will allow you to answer these and other questions as you improve your software's security.

Table 1: Occurrence of Security Exploits by Vulnerability

Applications tend to have characteristic security risks.  These risks often arise from the implementation technology.  For example, C and C++ are notorious for their lack of inherent array range checking, and consequent buffer-overflow bugs, which allow hackers to insert malicious code into very long input strings.  People writing applications with databases have to worry about SQL injection, where hackers put queries into otherwise-benign fields and gain access to sensitive data.

Security risks can also arise from the business application domain.  For example, since they deal in money, banking applications are attractive targets for criminals and a major source of worry for bank IT departments.  Applications that store personal information, such as medical history, are subject to regulations like HIPAA that require strict privacy controls.

Risk awareness is the first step in risk reduction.  Companies have been reluctant to let outsiders know about the security failures they've had, but some of their failures make the news, and users report others.  For example, the Open Web Application Security Project, www.owasp.org, provides good information for those developing Web applications, as does the World Wide Web Consortium's security page, www.w3.org/Security.  Carnegie-Mellon's Software Engineering Institute's CERT Coordination Center, www.cert.org, provides a broader look at computer security issues.  Last but not least, check out the searchable Risk Digest archives, catless.ncl.ac.uk/Risks, for great anecdotes and commentary on software risks, including security-related risks.

In addition to being aware of the failures, you need to be aware of the underlying bugs themselves.  Depending on the kind of applications you're writing, you'll want to read appropriate books and Web sites for hints on common insecure coding constructs and how to avoid them.  For example, searching for books on "secure programming" in any online bookseller will yield dozens of books, some general, some quite specific.

Once you are aware of the kinds of security risks that could affect your software, do a security risk analysis.  Identify the specific risk items that you should be aware of.  Meet with stakeholders to determine the level of risk in terms of likelihood and impact.  Likelihood relates to the chances of any given risk becoming an actual security bug in your software.  Impact relates to the effect on customers, users, and your software should the bug be exploited.  Your analysis of the risks and their associated levels of risk will allow you to create a prioritized list of potential security failures.[2]

Copyright © 2006-2017, RBCS, All Rights Reserved