Monday, January 18, 2010

The Secure Software Development Lifecycle–Security from the Start

Monday 6 July 2009
France Telecom Open Tribune
Author: Nissim Bar-El, CEO & Chairman

According to a recent University of Michigan study, more than 75% of bank websites surveyed had at least one design flaw that could make customers vulnerable to cyber thieves. Unfortunately, this is not an uncommon phenomenon across the board for all types of sensitive applications today. With credit card data, and bank accounts constituting 22% and 21% respectively, of items most “on-demand” for online purchase, it’s not surprising then, that all leading research organizations predict a major incorporation rate of security within the software development stages by 2009. This is also known as a secure Software Development Lifecycle (SDL).

While developers usually schedule time into security cycles for securing the infrastructure layer, communication layer, and physical aspects of systems and products, along with ensuring proper work procedures; it seems as though security in the application level is not given adequate attention early in the development of the software. This, partnered with the fact that most application designers and programmers usually do not have the required expertise to develop a secure and robust application, even after following secure programming guidelines, makes it virtually unavoidable to encounter security flaws in complex systems. Other contributing factors could also be the lack of appropriate solutions in the market until now, such as quick and thorough source code analysis, that can be applied on non-compiled code, as well.

Like all other business-critical organizational processes that require planning and strategizing, it is nearly impossible to deliver a bug-free application if a proper and organized process is not implemented. What’s more, implementing security without a clear process can be based on inefficient processes, and insufficient internal communication between teams regarding relevant security issues.

As a result, normal day-to-day insecure products have many implementations and designs that may, if they are not implemented correctly, introduce security flaws and open the door for system users, legitimate or malicious hackers, to perform unauthorized operations. Exploiting these security breaches, intentionally or unintentionally, may harm the three crucial information security missions of every organization – preserving the availability, integrity, and confidentiality of the organization’s sensitive data.

Some of the popular and potentially debilitating forms for exploiting breaches of this nature include: privacy breaches through the gaining of unauthorized access to private and secret information; user impersonation and identity theft, a rapidly growing problem worldwide, this includes the performing of illegitimate activity against the system backend using the Web frontend; stealing corporate information or altering it; gaining full control of a Web server; site defacement; and even the possibility of launching Denial of Service (DoS) attacks. Depending on the severity of the breach, the consequences could include financial losses or potential reputational damages.

Taking into account the severe potential fallout from improper security design and implementation, the inevitable question arises, how is it possible that more organizations are not implementing secure Software Development Lifecycles? This process has proven, time and again, that it reduces costs incurred one hundred-fold if implemented in the first stages of development. Leading organizations like Microsoft, Gartner, and Forrester, have endorsed this approach many times, and have demonstrated clearly that organizations that implement an SDL plan that integrates security best practices throughout the software development lifecycle greatly reduce the number of defects and vulnerabilities. Doing so saves enterprises an inordinate number of man hour costs for future remediation purposes, which may bring about the potential delay of a product’s launch, as well as other financial losses that may result if security breaches go undetected and are exploited by malicious entities.

The SDL provides process-level requirements that define how security should be integrated within each product’s development process, in particular specifying activities that should be performed at each phase of the process. The objective of this process is to minimize the number and quality of security related flaws in the initial design, code, and documentation, and to detect and remove these flaws as early in the development lifecycle as possible. An ideal practice that should be instated throughout the secure development is ongoing source code analysis, that will provide in real-time the security vulnerabilities that exist in the code, which will then facilitate the mitigation of the breaches without delaying the production process. In addition, the SDL allows senior management to receive a clear view of the current level of product security, enabling them to reach an objective decision on whether to release the product or not.

Comsec Consulting has been actively providing its services around many intricate facets of application security for more than two decades. This accumulated experience has enabled Comsec to cultivate a bird’s-eye view of the many complexities in this field. This knowledge has been the foundation for the development of in-house proprietary tools, tried and true methodologies relating to all aspects of Information Risk Management, and even an advanced technology for client-specific, customized source code analysis, all of which contribute to the continuous evolution of SDL. These methodologies and technologies have facilitated the successful implementation of comprehensive end-to-end SDL processes over the past years. These processes have included extensive hands-on practice by Comsec’s multi-disciplinary security consultants with services like: Software Security Policy Development, Procedures and Guidelines Formulation, Design Evaluation, Code Review, Penetration Testing, Security Reviews, along with Software Security Training and Awareness.

The objective of the SDL is to formulate a process in which information security is involved in the development lifecycle; where a formal SDL that is tailored to suit an organization’s needs is one of the best methods to realize an enterprise’s security goals.

A typical SDL process is comprised of the following stages:

 Stage One: Requirement Analysis
At this stage of the process the team verifies whether a specific system, application, module, feature, or software (or any other product) complies with specific predefined security requirements such as industry best practices, leading international compliance standards (ISO:27001, PCI:DSS, ITSec, SOX, and others), policy and procedure definitions, along with RFP requirements.

 Stage Two: Architecture and Design Evaluation
This evaluation stage will include a study of the application and a review of the conceptual and design level. The review will generate a report regarding problematic security considerations in the application architecture, and/or design, as it relates to the application, network, system, or product involved.

 Stage Three: Security Code Review
One of the most important stages in the SDL process is the performing of security code review. This is the most effective way to find vulnerabilities on the source code level – one of the main reasons it is a requirement by such leading international compliance standards, such as PCI:DSS. In order to mitigate risks, Comsec provides a unique and professional service for security code review, which provides quick and accurate results, virtually free of false positives. The Comsec security professionals fuse their accumulated and in-depth knowledge in application security to customize scripts to your organization specific business context, and uncover breaches only human logic and intuition are capable of exposing.

 Stage Four: Overall Security Testing
Utilizing the user interface, browsing, and various functional procedures of the application, issues will be examined during security testing, such as the following: user registration process, password management, user management, system timeouts for sessions and dialogs, user login processes, SSL usage, security interfaces and any other components that may influence the security of the product.
All the various scenarios and types of penetration tests aimed at assessing the quality of the operating security mechanisms is carried out. Information Security Product Evaluation provides assurance that the product will comply with security “best practices”, provide the security expected whenever it is required, and will not expose its consumer to new security vulnerabilities. The purpose of this stage is to examine the inherently planned information security level of a product with the intention of ensuring the highest standards of information security, while also focusing on product integration with the working environment.

 Stage Five: Ongoing Maintenance
This stage includes maintaining security levels with new releases, regression testing to ensure constant security, and overall process improvement. This stage ensures that new vulnerabilities are not introduced as a result of faulty planning and ongoing management.

The above model exhibits the different stages of the SDL process, and the necessary phases in each stage to ensure the success implementation of the secure SDL.

Comsec’s professional experience and research has clearly confirmed that, when executed correctly by a team with the proper in-depth expertise in the SDL process, the integration of an SDL into the product development practice will in effect:

* Reduce overall costs
* Increase development efficiency
* Improve application security
* Reduce time-to-market of new functional features
* Improve the degree of the application security maturity
* Allow senior management a clear view of product security
* Ensure effectiveness of security efforts
* Ensure efficient use of development resources
* Lead to increased customer satisfaction

About Comsec:
Comsec Consulting (TASE: CMSC), is a leading provider of Information Security and Operational Risk services to organizations worldwide. Founded more than two decades ago, Comsec operates offices in the United Kingdom, Netherlands, Poland, Turkey, France, Israel, and has affiliates in the Far East. Comsec covers all aspects of Information Security, from strategy and architecture, planning, design, ERP security services, and advanced security solutions, to PCI and ISO 27001 compliance, for all market sectors. In addition, Comsec provides deep level application threat assessment and testing services to leading software development companies and enterprises across the globe.