James Ransome - Core Software Security: Security at the Source

CORE SOFTWARE SECURITY

SECURITY AT THE SOURCE

CORE SOFTWARE SECURITY

SECURITY AT THE SOURCE

JAMES RANSOME

ANMOL MISRA

CONTRIBUTING AUTHOR (CHAPTER 9): BROOK SCHOENFIELD

FOREWORD BY

HOWARD SCHMIDT

CRC Press

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

2014 Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

Version Date: 20131031

International Standard Book Number-13: 978-1-4665-6095-6 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Ransome, James F.

Core software security: security at the source / James Ransome and Anmol Misra.

pages cm

Includes bibliographical references and index.

ISBN 978-1-4665-6095-6 (hardback)

1. Computer security. I. Title.

QA76.9.A25R356 2013

005.8--dc23 2013042460

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com

To Dr. Tony (Vern) Dubendorf, who passed away earlier this year. He was a true friend, co-worker, collaborator, confidant, co-researcher, co-author, and co-architect of the Getronics Wireless Integrated Security, Design, Operations & Management (WISDOM) solution.

James Ransome

To Dad, Mom, Esu, Anu, Mausi, and Prince.

Anmol Misra

The global cyber security threat is increasing on a regular basis, if not daily. The recurring question is how we address the current threat of global cyber security. The authors have aptly named their book in response to this question, in that the answer is to create software that has as minimal vulnerabilities as possible. In other words, focus on securing at the source first, instead of taking shortcuts by only trying to secure network infrastructure. Perimeter security and defense-in-depth have their place in security, but software security is the first line of defense and should come first. If you have fewer vulnerabilities at the source, it also takes out the financial benefit of nation states or organized crime stockpiling cyber weapons based on current vulnerabilities. Not only must we get better at it, we must make the solutions cost-effective, operationally relevant, and feasible, based on real-world experience, and worth the investment. Securing at the source requires securing the software, which is at the heart of cyber infrastructure. One of the things we have been constantly facing over the last 20 years is that software has become a critical component of every part of our critical infrastructure and everyday lives. We are already seeing software embedded within a vast variety of things we use in our daily livesfrom smart meters in our home to cars we drive. Unfortunately, software security has not evolved at the same pace, and many software products are still developed in an environment with the intent that they fix the problem after release rather than doing it right the first time around. There are two major issues with this:

1. There are no shortages of threats out there today; therefore, people who are looking to exploit software vulnerabilities have a pretty fertile field in which to work. As a consequence, we have to make sure we are doing better vulnerability management. We also have to look toward the future and ask ourselves, How can we avoid having these types of vulnerabilities in future generations of software that we are increasingly dependent on? The answer to this question is particularly important because it is very beneficial to companies to reduce these vulnerabilities and to stop them during the software development process. It is significantly less expensive to build security in through the use of a SDL than to come back and fix it post-release.

2. The second issue is that we need to start looking at a whole generation of what is referred to as zero-day vulnerabilities. If we can eliminate the likelihood of finding a zero day by not allowing the vulnerabilities to take place from the very beginning by adhering to the best practices of a solid SDL, it will save companies money, make the software and its users more secure, the critical infrastructure more resilient, and overall, more beneficial to us all.

As the Executive Director of the Software Assurance Forum for Excellence in Code (SAFECode), a nonprofit organization dedicated exclusively to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, I currently have a major focus on security training for developers. The lack of security awareness and education among the software engineering workforce can be a significant obstacle to organizations working to implement software security programs. However, better training for software developers so they have the skills needed to write secure code is just one of the variables in the software security equation. Software projects are under the constraints of costs and tight timelines. In those situations, it is inevitable that security is sacrificed somewhere because of shortcuts taken. Cost, time, and resources are typically the triad of software development supporting security, and if you sacrifice one of the three, security and quality suffer. A software development environment is built around a programmer who is pressured on every side to work faster, to cut corners, and to produce more code at the expense of security and quality.

It is impossible to have 100 percent security, but the developers and their management should always strive to maximize the mitigation of risk. It is about making it so difficult to access in an unauthorized manner that adversaries: