Cyber criminals live off vulnerable software. That’s not exactly a revelation, but we need to bear in mind that if there were no software vulnerabilities, criminals earning a good living off the internet might have to find work elsewhere. Securing software is somewhat like Sisyphus, the Greek king punished by the gods by being compelled to roll a huge bolder up a hill only to watch it roll back down every time. We may never get to the top of software security, but we have to keep pushing. A program described in a report just published by the Software Engineering Institute (SEI) at Carnegie Mellon University promises to give organizations a boost with their secure software development programs.
The Source Code Analysis Laboratory (SCALe) team, part of the CERT Program at SEI, describes a regime for code conformance testing against CERT secure coding standards. The report is characterized as a proof of concept, demonstrating how the testing program works. It’s reasonable to assume an organization could apply the program to their own internal software development security practice, use it to help vet secure coding and testing practices by third-party developers and security consultants, or submit their code to SCALe for testing, when the program becomes operational.
The proof of concept will be initiated with a small group of clients in a pilot program, during which CERT will “will test and refine processes, procedures, systems, and outputs.” Once CERT is satisfied that the program is ready for prime time, it will license a small number of organizations to create their own SCALe labs. These labs will perform their own assessments in conformance with SCALe standards, report the results to CERT and be subject to audits to ensure they are implementing their programs properly.
The ultimate aim is more extensive adoption of SCALe through third-party organizations and/or SEI partners.
The SCALe process gets fairly technical, but at a high level, code undergoes a detailed testing regime using manual analysis, augmented, where indicated, by unspecified automated static and dynamic analysis tools. Diagnostics are performed, compiled and merged, resulting in what CERT describes as “confirmed diagnostics” and “probable diagnostics.”
Make no mistake, secure software development requires commitment of resources many organizations have been reluctant to commit. What’s more, software security expertise is a little scare on the ground compared with the need. That’s why third-party help is often required. Enterprises face a dilemma: They have to be concerned not only with securely developing new code, but worrying about correcting flaws in existing production software, which is too often rife with hundreds, even thousands of cross-site scripting, SQL injection vulnerabilities, etc.
The key for organizations is a top-down commitment to an enterprise wide, systematic application security program. Else, the result is inefficient one-off security efforts that are neither sustainable nor repeatable. Each secure software project becomes a fire drill, doomed to be repeated. The devil is not always in the details. SCALe and other secure code initiatives are within the capabilities of skilled practitioners and third-party specialist service providers. Committing your company to a secure software program, executing it and sustaining it…now, that’s hard.