Triangulating the software security assurance triangle

It has become commonplace to hear multiple news stories about major technology companies and zero-day vulnerabilities in the products or services they provide.  What often seem to resurface from customers and the press are comments questioning a technology company's commitment to software security assurance.  Software security assurance requires a development organization to create and apply a set of methods and processes that ensure that software functions as intended and does not include vulnerabilities, malicious code, or defects that can bring harm to the end user.  Software security assurance is arguably one of the most important and least understood areas of software development.     

Everyone is looking for a culprit to blame for security vulnerabilities.  We have found the enemy and it is NOT us.   Instead, it is our – the industry's – approach to the software security process that needs to be reassessed.  We need to approach the security challenge with fresh eyes and ideas. There are preemptive measures within our reach to help diminish threats; we can and should proactively pursue them.    

I believe we are at a critical juncture in our technology and business timeline.  We need to take a broader view of the forces at play and accelerate focus on security among the stakeholders involved.  We at SAFECode, a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services, have developed the following three strategies -- the Software Security Assurance Triangle -- that are critical to implement to reduce security vulnerabilities.   

1. Secure Software Development Must be a Holistic Process  

It is widely understood that the organization that develops software for applications, products, or services has the responsibility to adopt a holistic secure development process to minimize the risk of vulnerabilities in the code they create. In the 15 years since Bill Gates issued his Trustworthy Computing memo, the focus of development organizations on preventing, detecting and promptly addressing vulnerabilities in their code has drastically improved. No responsible organization with a long history of developing software would ignore or hide critical vulnerabilities in their code. If vulnerabilities remain, they are the result of legacy design decisions, the complexity inherent in feature-rich products and services, or sophisticated exploitation of highly complex software architectures. When such vulnerabilities are reported, they are addressed with security updates in a prompt and effective manner. More importantly, such vulnerabilities provide feedback that is used to update software security processes, tools, and training and reduce the likelihood that similar vulnerabilities will occur in the organization’s software in the future. 

We should be very clear: the existence of vulnerabilities in software results from the complexity of modern software. Most mature development organizations have made investments to address software security that have made attackers’ task of finding exploitable vulnerabilities much harder. That said, there are commitments and actions by stakeholders other than the development organization – summarized below - that can significantly contribute to improving the overall state of software security assurance.  

2. Today's Software Developer Needs Security Knowledge 

The market can be powerful but the software security problem cannot be fully addressed if we ignore its roots. The digital economy runs on software and needs more and more developers. Every year, hundreds of thousands of software developers join the workforce without even a basic knowledge of security. The burden of educating and training developers on software security is left to the development organizations that hire them. This is an important point because developers play a critical role in software security assurance; in today’s IT landscape this role has never been more imperative.    

While development organizations can and should train their employees on company-specific tools and processes, a basic understanding of software security and the sources of vulnerabilities is as fundamental as other aspects of computing such as data structures.  You cannot become a structural engineer without being trained on fire safety for structural members, but you can earn a software engineering degree without being exposed to basic concepts of software security. Colleges, universities, coding boot camps and other developer training organizations must address the security education of software developers or the software security problem will persist for decades to come. 

At SAFECode we have released a number of free resources including industry-developed white papers and online training to support developers' efforts to create more secure software. But we would also like to cooperate with the software engineering education community to help integrate basic concepts of software security into all developers’ education. 

3. The Technology Consumer Must Demand Security Assurance  

We should not underestimate the power of the market. Technology consumers play a key role in driving vendors to adopt a holistic secure development process. They own the budget and have the power to pressure their vendors. However, to be effective and avoid diverting vendors’ efforts into producing compliance documents rather than secure software, it is critical that technology consumers assess their vendors using international standards or industry frameworks that focus on the actual application of rigorous secure development processes.   

Technology consumers also have a responsibility for protecting their own systems. They must understand and manage the risk associated with their systems and the products they acquire, and they must operate and administer their systems securely; including, for example, installing security updates on a timely basis, changing default passwords, and holding their users accountable. And if they find that the products and services they are using make any of those tasks difficult or impossible, they should provide clear feedback to their suppliers. 

Triangulating On The Triangle 

Over the last 15 years, development organizations have made a great deal of progress in articulating and applying approaches to building secure products and services. While stakeholders must acknowledge that security vulnerabilities will never be completely eradicated, they should also understand that they can be significantly reduced in prevalence and severity if: 

  1. Development organizations adopt a holistic secure development process
  2. Software developers are taught security as part of their software engineering education.    
  3. Technology consumers insist that their vendors adopt a secure development process help  

SAFECode provides resources for assisting all software security stakeholders in executing such a strategy: practices for development organizations, training modules for developers and an assessment framework for technology consumers.    

I invite all development organizations, educational institutions and technology buyers to join SAFECode in continuing to advance the Software Security Assurance Triangle.  I look forward to your response and encourage you to provide your input and insights. 

Steve Lipner, Executive Director, SAFECode 

Image Credit: Den Rise / Shutterstock