Programmed for security

Two initiatives take on the challenge of promoting better software development

For years, security experts
and users have urged software
developers to improve the quality
of their coding, complaining that
information technology security
cannot make strides until developers
bolster the underlying
software.

'Software is bloated, and
nobody tests it very well,' said
Keith Rhodes, chief technologist
at the Government Accountability
Office.

As a result, developers repeat
common errors that
cause recurring vulnerabilities
in much of the software
being deployed, providing
easy targets for hackers. Vendors
regularly provide patches
for known flaws, but the
patching process can be an
administrative headache, and
some software copies inevitably
remain exposed.

Two initiatives announced
recently address
the demands
for better software
development.
The SANS Institute
has introduced a new
Secure Software Programmers
certification
for two popular programming
languages.

The first round of exams, offered
in Washington in August by Global
Information Assurance Certification,
a SANS affiliate, drew 42
people, 23 of whom earned Graduate
Studies and Special Programs
(GSSP) certificates. The program
is a response to the failure of the
academic community to provide
adequate training, said Alan Paller,
SANS' research director.

'You can't write good code if no
one has shown you what you're
trying to do and why,' Paller said.
'[But] colleges are not including
secure coding in their core programming
courses. You couldn't
talk them into it. We have to give
them a clear demand.'

Creating demand

SANS' leaders contend that an
industry-recognized certification
will spur students' demand for
software security training and
certification.

The program may already be
gaining traction. SANS has
formed a partnership with the
University of North Carolina at
Charlotte, which will begin including
secure programming
in its computer science
courses.

The university also will
launch a regional GSSP testing
center. Students will receive
steep discounts for certification
testing, which now
costs $499. The school also
will help develop SANS workshops
on secure coding for
college faculty.

On another front, a handful
of major IT companies in October
founded an industry organization
to develop and
share best practices for secure
software development.

The Software Association
Forum for Excellence
in Code, or SAFEcode,
is a nonprofit technical
organization that will
build on the efforts of
individual companies
to improve product
development practices,
said executive director
and former
White House cybersecurity adviser
Paul Kurtz.

Many companies have internal
programs to improve the quality
of the code they produce, but poor
communications have limited
their effectiveness, Kurtz said.
SAFEcode will identify parallels
between the companies' practices
to develop industry best practices.
Founding members are Microsoft,
Symantec, EMC, Juniper Networks
and SAP.

SAFEcode members also expect
to help develop educational programs
and curriculum for good
coding, Kurtz said.

'Over time, I assume we will be
working with SANS,' he said. 'To
get code better, you have to go
back to curriculum.'

But certified programmers eventually
will have to work in organizations
with appropriate practices
to make use of those skills and
produce good software.

Operator errors

IT security does not depend entirely
on the software development
process, Rhodes said during
a recent panel discussion on vulnerability
assessment. Operators
of the nation's critical infrastructure
often do not pay enough attention
to their own security efforts,
he said.

'There is a great deal of bravado
among operators,' he said. 'They
are absolutely convinced of their
superiority, because on the average
day, they put up a damn good
fight.'

But the cards ultimately are
stacked against them because of
vulnerabilities in the software they
are running.

'There is always a loose screw,
and there is always a bad rivet'
that can lead to a catastrophic failure
if exploited.

Exploitation is almost inevitable
because programs are
being deliberately probed by sophisticated
hackers looking for
weaknesses that all too often are
easy to find, software security experts
say.

'We're long done with random
acts,' Rhodes said.

Hacking today is the result of
systematic exploitation by professional
criminals who expect to
earn a profit from their efforts.
That has significantly upped the
stakes for software developers.
SAFEcode's founders started
planning the organization about
six months ago. It was unveiled at
the recent RSA Europe security
conference in London to emphasize
the fact that it will be a global
organization.

Kurtz, who left the Cyber Security
Industry Alliance Jan. 1 to join
Good Harbor Consulting, said
Good Harbor will provide backroom
administrative resources for
SAFEcode.

CSIA and SAFEcode share some
goals for the IT industry, but CSIA
is a lobbying organization focused
on legislative and governmental
policy.

SAFEcode is strictly a technical
organization, Kurtz said. 'We do
not have the ability to lobby, nor
do we want to lobby.'

Complex challenge

Given the track record of many
large software companies, some
would question whether the industry
is capable of developing
best practices to produce secure,
reliable code.

Microsoft began its Trustworthy
Computing Initiative five years
ago and is still releasing monthly
patches for its programs.

'Software code is very complex,'
with large programs such as operating
systems running into millions
of lines, Kurtz said. 'It will
take a long time to turn that ship
around. They have sought to improve
the process, but this is a process
that we will be addressing for
a very long time. In fact, it will be
continuous.'

Reaching the next level will
require cooperation among
companies, and with government
and academia, and that is
what SAFEcode is intended to
enable, Kurtz said. The organization's
first goal will be to establish
metrics for software assurance,
'an incredibly complex
thing to do.'

Paller said the Secure Software
Programmers certification is
unique at SANS because it is the
first time the organization has
started with an exam rather
than courses and curriculum to
teach the basic skills needed for
certification.

'The exam measures practical
skills rather than book learning,'
he said.

Courses are being developed to
support the GSSP exam. Large
corporations and government
agencies can get access to an online
version of the GSSP exam
for in-house testing. In-house
testing will not earn a certificate,
however.

Development of the exams
began in summer 2006 at SANS
with the cooperation of a number
of international industry and
U.S. government organizations.
Faculty at a number of universities
also participated in the process.
The exams are available for
the Java and C programming
languages.

In the first round of tests, seven
people earned certificates for the
C programming language, and 16
for Java.

The 42 participants are a drop
in the bucket of the millions of
programmers who conceivably
could benefit from the program,
but Paller was enthusiastic
about the initial response.
Given that the performance on
the exams is published, the decision
to take one without first having
a course available required a
leap of faith by the initial participants,
Paller said.

He said the success rate would
have been higher if courses for the
tests had been available. A 75 percent
certification rate is a good
goal, he said.

The next round of certification
exams in 18 cities worldwide is
scheduled for December, beginning
with a Dec. 2 test at Walt
Disney World in Orlando.
A second test is scheduled for
Dec. 12 in Washington at the
Wardman Park Marriott Hotel.

More information about
upcoming exams is available at
http://www2.sans.org/gssp/locations.php
.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above