Security of application software remains low as hackers turn their attention from operating systems
Connecting state and local government leaders
Panelists discussing software assurance at the RSA security conference agree that we have a long way to go in improving the quality of application software, but how to get there is not yet clear.
SAN FRANCISCO — Writing more secure software is not a simple task, but it can be done and it should be done for applications, experts say.
“The guys who write systems are pushing their people to write secure software,” said Alan Paller, director of research for the SANS Institute. “But the application people have never done that.”
As operating systems have become less easy to attack, those writing malicious code are turning more of their attention to applications. Paller said that 90 percent of new hacking tools target applications, a significant increase in the last year.
Paller is not alone in his concerns.
“I share the frustration of the rest of the IT and business worlds that more progress hasn’t been made in having sound, secure software,” said W. Hord Tipton, executive director of the International Information Systems Security Certification Consortium and a former Interior Department CIO. “We seem to be losing ground.”
Not that there are not some areas for hope. “It’s extremely spotty,” Paller said. “But its gaining extraordinary ground in the spots.” As a nation overall, however, “we suck,” he said.
Paller and Tipton are among a panel of experts discussing the challenges of software assurance today at the RSA security conference. The security (or insecurity) of applications is a growing concern. A recent study of 200 businesses by Forrester Consulting commissioned by Veracode Inc. found that 62 percent had experienced a security breach in the last year because of vulnerabilities in critical software applications. Despite the size of the security hole this represents, only 13 percent of respondents said they knew the security quality of their critical applications, and only 34 percent had a comprehensive software development life cycle process integrating application security.
Tools are available to help with software assurance. IBM Corp. is announcing at RSA this week that its Rational AppScan product now will incorporate the ability to recognize malicious code in program as well as scan for vulnerabilities.
The company’s Rational product line is a platform for software development and delivery, and allows code to be evaluated in the production environment as well as during the development phase. A fourfold increase in the amount of malicious code being found in legitimate Web sites in the last year has created a demand for the capability to discover malicious code, said Danny Allan, director of security research for IBM Rational. An estimated 80 percent of malicious code is being delivered through legitimate Web sites where it has been placed surreptitiously.
“The growth in malware is impressive, and we have been approached by customers,” Allan said. “It’s becoming an increasing risk for companies doing business online.”
The ability will be available in the AppScan product immediately in beta, but full product support expected in the next release later in the year. It will be available in the AppScan OnDemand service in the second quarter.
Integrating security throughout the life cycle of the software requires beginning at the earliest development phases, Tipton said. It requires more than just writing secure code, but you have to start there,” he added.
An important reason it does not start there is that companies producing commercial software and shops producing it in-house or by contract usually are faced with tight timelines in which it is difficult to fit security concerns. Writing secure code is not adequate for software assurance because of the complexity of the programs. Layers of functionality are required, and attacks targeting these are becoming more sophisticated. It does not have to be a flaw that is exploited, it can be misuse of a feature.
“You really don’t have to screw up to be exploited,” Tipton said.
The issue of software assurance could be moving out of the development shop and into courts. Paller said we are entering an age of cyber litigation over legal liability for software breaches.
“The stars are all aligned,” he said. Last year about 20,000 lawyers lost jobs, and this year another 44,000 lawyers will be graduating from law schools with an average of $83,000 in student loans. “There is a huge demand for legal cases by people who have law degrees,” and the recent $20 million settlement by the Veterans Affairs Department over a lost laptop containing personal information on millions of vets will act like “blood in the water,” he said. “They are going to focus on application security because it is the perfect place to show negligence.”
Neither Paller nor Tipton believe legal liability is a good way to enforce software assurance, however.
“I don’t like using negatives to get things done,” Paller said.
Tipton thinks the legal focus should be on the hacker, not the developer. “I don’t think we are tough enough on those with criminal intent,” he said. “How do you determine with any finality how something was breached?” It could be through misconfiguration or social engineering as well as through a software flaw.
That said, a reasonable degree of due diligence is required on the developer’s part, he said. That can be achieved only when the industry works together toward this end, rather than competing in a rush to market.
“We need to get companies to look at this as a universal problem,” he said. “No one company can do this by itself.”