|
The ongoing epidemic of data breach notifications forced by today’s data breach disclosure laws has painfully highlighted the insecurity of many of today’s applications. How, then, can organizations ensure their applications are secure, and avoid the cost and public relations fallout — not to mention stock price downturn — inherent in issuing numerous security patches, or worse, having to explain to consumers and regulators how code defects allowed attackers to steal people’s sensitive and perhaps regulated information?
The path to creating a secure application begins by rigorously testing source code for any and all vulnerabilities, to ensure the application will not compromise, or allow others to compromise, data privacy and integrity.
For companies using custom-built, outsourced, or open source applications in-house, ensuring all current and legacy code is secure, however, will be no small challenge. Detecting and eradicating security vulnerabilities has historically been extremely difficult. Many organizations relied on manual code review, which is costly and labor-intensive, as well as penetration testing, which examines only a subset of potential application vulnerabilities in an application.
While both of these approaches have their uses, automatic software vulnerability scanning tools now allow companies to approach secure code development in a more systematic, automated, and successful manner. These automatic vulnerability scanning tools greatly improve the speed and accuracy of code review, and may be integrated seamlessly into the development lifecycle. In fact, the best tools can pinpoint each vulnerability at the precise line of code and provide detailed information about the type of flaw, the risk it poses, and how to fix it.
COST CONCERNS DRIVE COMPANIES DOWN THE SECURE CODE DEVELOPMENT PATH
The imperative for creating secure code has never been greater, given the rapid rise in new technologies — including Web Services and rich Internet applications — and the need to ensure the integrity of existing, legacy, and under-development applications in an increasingly networkoriented world in which companies continue to integrate their systems with business partners to speed the exchange of information. In these conditions, companies must ensure code is secure, to protect data privacy, preserve customer loyalty, safeguard sensitive information, and maintain operational integrity.
One software flaw is all it takes to lead to a data breach. For example, take the late-2006 attack on a University of California, Los Angeles database containing personal information on 800,000 people — one of the worst educational data breaches ever disclosed. In news accounts, Jim Davis, UCLA’s associate vice chancellor of IT, revealed the attacker had exploited a single software flaw to gain access. Furthermore, the attacker covered his or her attacks well, since the exploits may have begun up to a year before UCLA detected them. Inadvertent disclosure of a company’s sensitive information, or of private and regulated information, which can lead to fines, lower stock prices, and damage a company’s reputation with its clients.
Monetarily, numerous studies have found that catching and fixing code flaws costs significantly less money, the earlier it happens in the software development life cycle. To that financial incentive for scanning code for vulnerabilities throughout development, add in the cost of just one bug that ends up in released code and leads to a data breach. Studies bear out this concern. A survey of 31 companies that suffered data breaches found the average breach cost $4.8 million, related to IT clean-up, legal fees, notifications, customer loss, credit monitoring services for affected consumers, and the increased customer service load. The survey, by the Ponemon Institute, also discovered customer turnover related to the data breach averaged 2 percent, but in some cases was as high as 7 percent.
THE PATH TO SECURE CODE DEVELOPMENT PRACTICES
What is the best way to ensure code is secure? The path to effective secure software development requires source code review processes accomplish three things:
1. Consistency: Create consistent processes, policies, and a culture of improved security
2. Provide the whole security picture: When it comes to dangerous vulnerabilities, large-scale design flaws typically trump individual coding errors. Fixing individual vulnerabilities will have little effect if data is not encrypted, authentication is weak, or there are open backdoors in an application.
3. Prioritize remediation: When reviewing existing code, developers must identify all vulnerabilities in the code, then remediate the greatest risks first.
|
