The Developer Role: Control No.7
Application software security is the control most often weakly implemented. Effective implementation calls for three processes:
- Testing all applications using source-code analysis tools (Ounce Labs, Fortify, Coverity, and Veracode are among the most widely used); Web application scanning tools (such as IBM Rational AppScan, Hewlett-Packard WebInspect, and Cenzic Hailstorm); and, for important applications, application penetration testing. But the control isn't in place when tests are run; it's in place only when the processes can ensure that problems are fixed or vulnerabilities mitigated with other defenses, such as a Web application firewall.
- Training and testing programmers in secure coding skills in their own programming languages. This is focused on finding and fixing the critical errors identified in the "25 Most Dangerous Programming Errors" (www.sans.org/top25errors), developed jointly by NSA, DHS, Mitre, and SANS. The control is in place only if the programmers pass periodic competency exams in each language they use.
- Procurement language requiring software suppliers to implement the first two processes. Putting these requirements into all contracts that result in software being delivered or used on behalf of the organization extends the control to where it can do the most good.
The Way Forward
The outline of a new era is taking shape in security. In the past, security was usually "bolted on" after systems were designed and deployed. That doesn't work. Security is effective only when it's "baked in."
Security is baked in when very large buyers or groups of smaller buyers act jointly to establish minimum security standards for the software and systems and networks they buy, and then demand that vendors deliver technology that meets those standards.
The U.S. Air Force offers the most successful example. With the help of the NSA, the organization that best understands how attacks are launched and why they work, the Air Force identified how Windows should be configured to make it tougher to attack, then persuaded Microsoft to sell 500,000 copies of Windows XP and Vista preconfigured with all key security settings installed. Air Force users could turn on their PCs knowing they were safely configured. The Air Force saved more than $200 million in acquisition and operations cost, radically improved defense against common attacks, and made users happier because systems failed less often. Today, commercial organizations and governments benefit from the more secure version of Windows.
By replicating and expanding the Air Force process, the federal government can use its buying power to provide incentives to bake security into all products and services it buys with the ultimate goal of making security less expensive and easier and more effective for all buyers of the same technologies.
The 20 Most Critical Security Controls automate the measurement of these baked-in controls and can themselves be purchased baked into network and systems monitoring software.
A new era of buying security baked in and continuous monitoring of focused, offense-informed security controls has begun. In government, it's made possible by sharing attack and defense information across the U.S. government and its contractors, and represents the best hope against increasingly sophisticated cyberspace attacks. Any business trying to answer the questions "What do we need to do?" and "How much is enough?" would do well to focus on implementing and automating the 20 critical controls.