Chapter 11. Forcing Firms to Focus: Is Secure Software in Your Future?
Beautiful security in software requires a fundamentally different business model from that which exists today. In fact, the current state of security in commercial software is rather distasteful, marked by embarrassing public reports of vulnerabilities and actual attacks, scrambling among developers to fix and release patches, and continual exhortations to customers to perform rudimentary checks and maintenance.
The solution is to embrace customer requirements for security controls in commercial software development. The business model for commercial software development firms has evolved to meet explicit customer requirements, but not implicit requirements, such as security. History has clearly shown that software providers are very good at delivering core functionality to meet customers’ time-to-market needs. But removing security vulnerabilities has never before been an explicit requirement. Is it possible to add it to the requirements model in a way that benefits both customers and software providers?
This chapter is a story of one firm’s pursuit to change the conventional model for acquiring and developing software. The ending of the story is not yet written, but the journey to this point may benefit other organizations interested in improving their resistance to software security exploits.
Implicit Requirements Can Still Be Powerful
Acquiring software is very different from other types of consumer purchases. However, to better understand the need for a different approach for acquiring software, it is useful to consider the following scenarios for customer requirements in other consumer-oriented businesses. I encourage you to ask yourself what you would do in the following scenarios if you were the consumer:
You walk into a McDonald’s, order a Big Mac, pay for it, and then notice when you sit down to eat the burger that it is room temperature instead of piping hot. What would you do?
You order a best-selling book on Amazon.com by a noted author, select overnight delivery because you can’t wait to get your hands on it to begin reading, open the package upon delivery, and notice that a 16-page folio is missing and the corners of most of the pages are crumpled, along with the book cover corners. What is your next step?
You purchase a professional desktop printing software package that enables slick photo editing and printing for $125.00 from Best Buy and install it on one of your home computers to both edit and manage your personal photos from your many interesting travel adventures. After completing the installation and doing some preliminary testing, you are satisfied that the software is functioning properly. You post many edited pictures of you and your significant other on your Facebook homepage and Flickr site to share with your friends. A few months later, you learn from a blog posting that the version of software you paid $125.00 for contains a security vulnerability that enables anyone that you shared the files with to see previous draft versions of your photos without the editing, which you did not mean for people to see. How do you respond?
Now, I’m willing to bet that in Scenario 1, you would bring the cold Big Mac back to the counter and demand one that was piping hot. And I suspect that 9 times out of 10 you will get exactly what you request. The probability of anyone receiving a Big Mac served at or below room temperature out of the 550 million Big Macs served each year is relatively low, given McDonald’s focus on quality and customer satisfaction. I wonder how many of those orders for Big Macs include an explicit request from the customer to deliver it to the counter hot. It is an implied requirement, but one that managers are anxious to fulfill. There is no need to specify your desire for a hot Big Mac upon ordering to ensure that the temperature is well above room temperature.
In Scenario 2, both you and the representatives at Amazon.com would likely agree immediately that 16 missing pages is a significant defect. I suspect that, given Amazon.com’s reputation for excellent customer service, you would receive a new book with all of the pages within a day or so without paying for additional shipping, after bringing this defect to their attention. In this scenario, you never specified that the book you ordered needed to have all of the pages. But no service representative from Amazon.com would point out that you did not specify that the book needed all of the pages. Once again, the requirement that the book contain all of the pages is implied. The inability of a bookseller to sustain a profitable operation while offering only partial pages in its books reinforces the industry’s common practices of offering all of the pages for every book.
Scenario 3 is much less likely to result in a satisfying outcome. The reason for this is that, although security may be an implicit part of your requirements when you purchase software, it is certainly not explicit. Furthermore, security rarely figures in the requirements when the software is developed, unfortunately. The majority of commercial software providers do very little to identify security vulnerabilities and address them during the development process.
As I said at the beginning of this chapter, the gap between adherence to explicit and implicit requirements is substantial. Commercial software providers focus on delivering functionality to meet the time-to-market demands of customers, and they do it well. New features and capabilities make it easier for them to differentiate their products from other commercial software developers and encourage their customers to purchase new software or upgrade old packages.
Clearly, the omission of security from explicit requirements is no reason to believe that customers don’t care about it, or don’t understand its importance. But customers don’t explicitly specify security requirements for two reasons:
There is no standard way of assessing software security.
Software vulnerabilities evolve and change with the threat landscape.
Determining whether a Big Mac is hot enough is a relatively trivial exercise for a customer. Determining whether a software product has security vulnerabilities requires an entirely different level of effort and expressiveness. There is no standard measure to determine the presence of software vulnerabilities or a secure approach to software development, which would resemble using a thermometer to determine the temperature of a Big Mac.
How One Firm Came to Demand Secure Software
I have worked for several highly regulated financial service firms with core business operations that rely heavily on the resiliency of their software. One of these companies, which I’ll give the fictitious name of Acme, launched an effort costing substantial money over several years and requiring intense involvement at the CIO level to reduce its security risks. The rest of this chapter explains how we started, championed, and extended these efforts.
At the time Acme committed itself to the long-term project described here, it had never made any previous attempts to improve software security. However, it had an impressive quality record, having made investments in the use of a consistent methodology for systems development and achieved a level 3 status in the Carnegie Mellon Capability Maturity Model Integration (CMMI) process. To address security, at first, Acme considered bringing in a few security vulnerability detection tools to use on selected projects in a “proof of concept” mode. This is a common approach that companies take when starting a secure software program.
But Acme’s chief information security officer (yours truly) read a book (Software Security: Building Security In, published by Addison-Wesley) on software security written by a recognized authority, Gary McGraw. Gary clearly points out that software security is more than identifying and removing defects in software code. In fact, over 50% of software vulnerabilities are based on defects in the architecture, not the code itself. I also recognized from previous experience in software development that identifying and addressing software defects early in the lifecycle is far more cost effective than fixing defects once the code is in production. I believed that emphasizing the identification and remediation of software defects early in the lifecycle was the best approach for creating an economic incentive for more secure software that the CIO was more likely to appreciate.
I knew from my previous experience in software development that encouraging software developers to think of security vulnerabilities as defects would be a significant challenge, requiring both a comprehensive education program and organizational development techniques for managing behavior change. I decided to put our focus on teaching developers to create secure code as opposed to spending a lot of money on pen testing services once the code was developed, tested, and implemented.
How I Put a Security Plan in Place
Carrying out this ambitious plan required a series of conversions in the attitudes of Acme chief officers, developers, and ultimately outside companies providing software. The steps in launching the plan are described in this section.
Choosing a focus and winning over management
Reformers can’t fix everything at once. I had to pick one area of software and strive for measurable improvements in security there. Fortunately, the concentration of vulnerabilities in modern software makes the choice easy, as it is also consistent with the highest risk exposure.
Modern software exploits, unlike such early annoyances as the Internet worm and the Melissa virus, involve money-making operations. Like any commercial enterprise, modern hackers consistently seek the method that yields the greatest financial result with the least amount of effort. That leads them to web-based exploits. On the one hand, web applications and the software platforms on which they are based tend to sprout bugs that intruders can exploit to gain entry to web servers and ultimately end-user machines. Correspondingly, the widespread use of web applications by millions of untrained computer users offers enormous paybacks for intruders interested in data theft.
Unsurprisingly, recent trends in security threat data clearly show the migration of hacker exploits away from network perimeters (routers, switches, firewalls, etc.) to the web application layer. Web applications are targeted because this area is the most economical approach to data compromise.
For more information on favorite hacking techniques for web applications, go to http://www.owasp.org, which shows the top 10 web-based exploits. Number one is cross-site scripting:
Cross Site Scripting flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. Cross Site Scripting allows attackers to execute script in the victim’s browser that can hijack user sessions, deface web sites, possibly introduce worms, etc.
At Acme, I justified the initial security focus by providing the President and COO with industry trend data clearly showing the rise in exploitation of web application vulnerabilities from the OWASP Top 10 list and from the Gartner Group (75% of hacks occur at the application level). McAfee recently released survey results that show that about two-thirds of mothers of teenagers in the U.S. are just as or more concerned about their teenagers’ online safety as they are about drunk driving or experimenting with drugs.
Showing the preponderance of web vulnerabilities in security exploits is quite helpful in persuading financial service executives to invest in security programs. Most organizations have increased their reliance on web applications in order to serve customers better and deliver greater efficiency. A nudge from an industry regulator also contributes to a compelling story about addressing application security. The President of Acme clearly understood the value of detecting software vulnerabilities, and of doing so early in the software development lifecycle, in order to reduce the significant cost of remediation or fixing the defects later.
Setting up formal quality processes for security
Given the go-ahead to integrate security into Acme’s development cycle, our initial work involved various forms of formalization and standardization, which would provide metrics and educational material for further efforts.
We created a list of key deliverables from CLASP (Comprehensive, Lightweight Application Security Process), a methodology for developing secure software developed by John Viega and adopted by OWASP. We integrated this into our software development lifecycle (SDLC) and enforced it through appropriate controls. For instance, one of the required deliverables near the start of each project was a document that identified the trust boundaries for an application: what data it manipulated and who was expected to have legitimate access to that data. This document helped define the application’s security requirements based on the classification of the data it handled.
Another area of formalization was to subject each new software architecture to an intensive review by the security organization, which had to approve the architecture before development could proceed to the next phase. Projects leveraging standard security architectures are encouraged to proceed with little required review.
Coders also got support and were required to meet security standards. To do this, Acme chose a static code analysis tool and required all Java and C++ code to pass through this tool with a certain threshold of quality before the code could go to the quality assurance team. A key criterion when we selected the tool was its high-quality contextual help, allowing relatively untrained developers to easily identify and understand security vulnerabilities.
Developer training
After persuading the chief officers of the company to launch this security initiative, I faced my second major challenge: encouraging the software developers to adopt and use the static analysis tool in the development process. As an entry point into the teams, I selected the most competent and highly respected developers and convinced their team leaders to nominate them for a special educational program to teach them about security. Developers who passed the test at the end of the course would be recognized as part of a newly established community of top developers and be handed an explicit and accepted responsibility to teach their peers about security.
The first class included 18 top developers nominated by their respective team leaders. The educational content was custom designed for Acme’s environment, based on an existing software development methodology called CLASP. Acme delivered the education in classrooms in a lecture format followed by workshops, using an outside consulting firm that specialized in software security. Several firms, such as Cigital and Aspect Security, specialize in assisting firms that are committed to implementing software security programs.
When the security process really took hold
An interesting event occurred on the third day of the security class. One of the most influential web developers, who developed a web application architecture used by multiple Acme web applications that were already in production, abruptly got up out of his chair and bolted for the door. He mumbled something about a burning need to test something. The instructor, coordinator, and I were concerned that one of the best developers had walked out on the class and began plans for damage control.
The next day, the developer returned to class and quietly sat down. The instructor felt compelled to ask the developer if everything was OK. The developer then stood up to address the instructor and the entire class: “I realized yesterday that the web application architecture I developed for several production applications had a significant security vulnerability that could be easily compromised by an external hacker using cross-site scripting. I ran the code through the static code analyzer and my worst fears were confirmed by the results, so I stayed last night and fixed the code. I used the static code analyzer and remediated the code, removing the critical vulnerabilities before turning it over for testing. It will be implemented tonight, and I’ll be able to breathe easier.”
From that point forward, few Acme developers were willing to challenge the need for a static code analysis tool. The attempt to win over the developers gained momentum.
Fixing the Problems
The next hurdle I faced turned out to be a debate with team leaders over the importance of handling the defects found during static vulnerability analysis. Several projects missed the threshold of acceptability and were sent back to the development team. Team leaders thus faced the need to spend more time, and therefore more money, fixing security flaws, which in turn could lead to missing delivery schedules and bringing projects in over budget.
I had anticipated extra costs and had tried to mitigate such concerns from team leaders. I had previously negotiated with the Acme CIO to add a 10–15% productivity factor into the annual budget for training, tool integration, and remediation requirements. The CIO and I had subsequently met with the business stakeholders and obtained their commitment to the additional time and budget for security.
But some team leaders were not playing along. They were unwilling to relax schedules or use the productivity factor to offset the increased time needed to fix identified vulnerabilities. They preferred to allocate time and budget to creating functionality rather than improving the vulnerability risk score of their team’s code. In effect, the team leaders conveniently assumed that security vulnerabilities were not defects and could be deferred for future enhancements or projects. Acme dealt with this problem by making two significant adjustments.
The CIO made the first key decision by reversing his earlier agreement and removing the 15% productivity factor, purely as a way of reducing the budget for software development and removing a level of contingency for all phases of the lifecycle. I initially dreaded this decision since it limited the leverage I had to encourage project leaders to identify and remediate security vulnerabilities. The results proved that this decision actually increased compliance with the security plan. With the requirement to pass the static analysis test still hanging over teams, they felt the need to remove defects earlier in the lifecycle so that they would avoid last-minute rejections.
The second decision was the implementation of a detailed reporting framework in which key performance metrics (for instance, percentage of high-risk vulnerabilities per lines of code) were shared with team leaders, their managers, and the CIO on a monthly basis. The vulnerability information from the static code analyzer was summarized at the project, portfolio, and organization level and shared with all three sets of stakeholders. Over time, development leaders focused on the issues that were raising their risk score and essentially competed with each other to achieve better results. This was not lost on the CIO, who would have no hesitation about calling a development leader up to his office to answer questions about an SQL injection vulnerability based on the monthly report.
Further resistance to the controls diminished. Although there remained Acme developers and team leaders who believed that the security controls were burdensome and constraining, they accepted them over time as core requirements.
Acme later added dynamic testing and manual penetration testing, run by outside services, to its core controls. The company spent a great deal of time to integrate the reporting of the vulnerability information into a model linked to Acme’s accountability model. This reinforced the desired behavior at all levels of the organization. The initial core team of 18 developers trained in security grew to over 70 within a three-year time frame. We also created a formal process for providing performance feedback on selected developers to their team leaders, which helped the developers trained in security to achieve promotions and rotations, bolstering their career development.
Extending Our Security Initiative to Outsourcing
The steps described so far took place at Acme’s main development site, where close monitoring and personal contact could reinforce the lessons and adherence to rules. But some development took place by outside service providers, who could not be reached by the intensive controls available in-house. Therefore, Acme designed some specific controls for off-site development. They were based on a few core controls:
Off-site developers had to integrate their code with code developed by Acme following the same core controls, such as the analysis tools.
Acme imposed standards on remote access architecture, including specific controls.
Access to development environments was monitored and strictly controlled by Acme, limiting access to essential development servers and tools.
Over the first years of the software security initiative, Acme increased the amount of off-shore development due to the attractive economics of using contractors in lower-cost foreign countries. This led to the emergence of new security issues. For instance, offshore vendor staff could potentially have access across applications to source code beyond what they needed for their respective project. Acme added a few selected controls to both monitor and restrict this access to files and development servers.
Enforcing Security in Off-the-Shelf Software
With a relatively mature application security program in place, Acme decided to tackle commercial off-the-shelf software, or COTS. Like most firms, Acme’s reliance on purchased software for business and workstation software was growing, and we had no security review prior to implementation of the software.
Within Acme there was a great deal of skepticism about the possibility of adopting any security controls for commercial software. The IT leaders were reluctant to support anything that added hurdles and time to the process of evaluating and selecting software packages. Acme business leaders were uncertain how software companies were going to react to customers requiring information on security controls in the development process.
But I was anxious to push for the adoption of security controls for at least a subset of commercial software applications. I recognized that software was playing an increasing role in commercial infrastructure, and that economics was driving companies such as Acme to depend increasingly on purchases from commercial software vendors. My rationale also took into account that over time, regulatory requirements were likely to include application security and that Acme needed to be ahead of the curve by adopting controls to avoid paying more for a “knee-jerk” reaction to a new regulation. For example, in April 2008 the Office of the Comptroller of the Currency (OCC) published comprehensive guidance on software security requirements for the financial service firms they regulate. It’s the first comprehensive regulatory requirement in the U.S. that is explicitly for software security. Attempting to adopt and implement a program to fully comply with the OCC requirements is a significant undertaking for firms without an established and mature program in place for software security. The cost alone for immediate compliance would be significant, in addition to the time and resource effort required. In addition, any control that we could implement would represent a significant improvement over the current situation, where we had no way to identify the security risks of using purchased software and no leverage over the providers. From my perspective, commercial software was simply one more important dimension of the IT supply chain that required appropriate controls.
When I presented the concept of commercial software controls to the Security Committee, there was significant debate. They ultimately agreed to try out this new process in a “proof-of-concept” project. I defined the evaluation criteria for the project, and I promised to provide the results to the committee.
I recognized that software companies were likely to resist the new requirements and that added delays in software procurement would be poorly received by business stakeholders. So I developed an approach where I would intervene in the negotiations with a software vendor prior to making a buying decision and simply request whatever artifacts the software vendor could provide to demonstrate effective controls in their software development process.
This request mirrored the information Acme was prepared to share with other customers who requested similar information from Acme. Acme had artifacts from the requirements, design, development, and testing phases of our software development lifecycle that demonstrated our security controls. The artifacts requested by Acme are identified in Figure 11-1. Each of the four boxes represents a core phase of a conventional waterfall methodology, identified by the label at the top of the box. The bottom of each box lists the categories of vulnerability detection tools and services we use.
In short, Acme laid out a conventional software development process and the types of tools and services we used for quality control and security checking, and asked vendors for similar information.
In addition, I decided to test out a new service from a young start-up firm that developed an innovative way to scan code binaries; for this article I’ll call it Verify. This new method did not require access to source code, a significant obstacle for commercial software vendors who go to great lengths to protect their proprietary intellectual capital. Acme offered the use of Verify to its suppliers as an alternative to providing Acme with the information previously mentioned about the four stages of development. If vendors opted to use Verify, Acme would use it to scan the binaries from their latest release of software. The software vendors receive the detailed scan results so they could identify and remediate the vulnerabilities based on risk and their priorities. I could then influence their priorities based on Acme’s needs. The Verify service provides a risk score using a consistent framework, and Acme is able to establish the required risk score for each software product or type of software product. So the level of vulnerabilities detected are comparable with other software products, applications developed by third parties, and systems that Acme has internally developed.
My proof-of-concept project included three mid-sized software firms. Two out of the three software vendors resisted the initial request for artifacts and reluctantly agreed to the Verify service. The third firm had coincidentally been asked to use the Verify service by another financial services firm as part of its own vendor evaluation process. This software vendor actually scored lower than its competitor in vulnerabilities discovered by Verify, but was selected by the financial services firm anyway because it showed a commitment to address the vulnerabilities and improve the software. This software firm hired Verify too and incorporated the service into its controls on a consistent basis, ultimately improving its risk score and the resiliency of its software. Several other firms, including Acme, asked for and received the vulnerability summary information from the software firm.
The results for the three software vendors that we asked for security controls were generally positive. Two of the three firms responded well to the vulnerability information and used the results to prioritize their remediation work effort. One of these vendors actually received a relatively lower risk score than its competitor in a separate evaluation by a financial services firm that was using the risk rating as an evaluation criteria, but the vendor’s response to the vulnerability risk information was so proactive and effective that it won the business anyway and later improved its risk score for Acme.
Acme does not expect perfect risk scores; it is more encouraged by vendors that demonstrate a willingness to learn how to improve their security controls over time.
The third vendor received a relatively low vulnerability score and then challenged the accuracy of the binary scanning technology. This firm had invested in the Common Criteria for Software from BITS, a financial services industry organization. This is a rigorous documentation exercise for controls and vulnerabilities that is labor intensive and whose value is tied directly to the specific version of software reviewed. Acme agreed to accept this as an artifact from this vendor but encouraged the vendor to engage with Verify. The ensuing dialogue with the vendor provided an effective assessment of security controls within the vendor’s environment and a significantly better understanding of the security risks that would go with the adoption of the vendor’s product into Acme’s environment.
The proof of concept demonstrated enough success for Acme to move forward and enforce security requirements for all future business application software purchases. I analyzed the existing inventory of desktop applications currently offered by Acme and selected products where we should require a security assessment prior to the annual license renewal. The Vendor Management Office contacted each vendor, explained the new security requirements, and gave them our choices of options for compliance.
Once again, Acme decided to take a gradual approach to improving software security by applying new security requirements only to a subset of the software purchased, business application software, which is typically web-based and offers the highest risk of exploit. Our plan was to evolve security assessment until we felt it was mature, and then apply similar requirements to all software procured by Acme.
Analysis: How to Make the World’s Software More Secure
Software, whether commercially produced or internally developed by IT organizations, has penetrated to the core infrastructure of the global economy. Very few commercial products or services can be provided effectively today without the contribution of software. The planes we fly for air travel were designed, manufactured, operated, and maintained by processes dependent on software functionality. The food we eat, the cars we buy, and the goods we acquire are enabled by software. Yet with all of this demand for functionality from software, companies and consumers still have a limited understanding of processes for creating resilient software with control of security vulnerabilities.
The Best Software Developers Create Code with Vulnerabilities
Designing software that is functional and works consistently is a challenge in the best of circumstances, and most software developers understand that there is really no way to guarantee quality in software design and development, regardless of their level of talent.
In regard to security, Acme understands how difficult it is to design and develop software with limited vulnerabilities and low risk. After all, we’ve developed software ourselves for years. But a cursory overview of the software development process clearly reinforces the need to perform code reviews that enable software developers to identify and correct software flaws during the development lifecycle. Acme believes that software code must be tested for security vulnerabilities during development as well as within the quality assurance testing cycles, leveraging multiple controls. This requirement applies equally to commercial software developers, off-shore application outsourcing service providers, and internal IT organizations.
The best software developers create great functionality that can be hacked due to vulnerabilities in the code. Software developers are typically very good at creating functional code, but the skill necessary for a malicious hacker to break an application is unique and very difficult to teach to a software developer.
Luckily, there are improvements in the tools and services available to detect vulnerabilities early in the software development lifecycle and correct them before the cost of remediation escalates. The analysis tool chosen by Acme provided context-sensitive help that actually promoted developer education as well as identifying immediate flaws that needed fixing.
A large body of evidence suggests that using a consistent, repeatable process followed by established practices does improve the probability of success in any engineering or manufacturing effort. The same is true for designing and building software that has limited security vulnerabilities. Consumers or business users can and should require the adoption of good practices to eliminate software defects related to security within the software development lifecycle.
Acme understands the need for security controls in the software development process for two fundamental reasons:
Security flaws are likely to be discovered in design, in the security and authorization architecture, in the actual software code, and in the configuration settings of the devices supporting the application. Therefore, multiple controls at different phases are essential.
Identification and remediation of vulnerabilities earlier in the software lifecycle lowers operating costs.
Acme has applied these principles to the design of our own program, along with the requirements we use with software vendors. That is why Acme believes that requesting a description of the security controls within a software development methodology is an effective way to engage software vendors in a joint assessment of the effectiveness of controls, in order to understand the inherent risk of commercial software.
Microsoft Leading the Way
One of the most common complaints Acme receives, when we give our security requirements to software vendors, is that one of the largest commercial software providers (which happens to be based in Redmond, Washington) is not expected to comply with Acme’s requirements, given the vendor’s market size.
But ironically, Microsoft is one of the few commercial software providers that addresses security in the software development process. They have made significant investments in updating their software development lifecycle with security controls, and currently have one of the most mature sets of security controls within their development process today, which has been emulated by other companies. Consumer perception of Microsoft products may be influenced by the relatively large number of patches released monthly, but the reality is that Microsoft has listened to customer needs for security and has made progress addressing these needs.
They got started by introducing security controls into their SDLC many years ago. One of their leading advocates for improving software security is Michael Howard, who has authored several books on software security. Microsoft recently released their Software Development Lifecycle (SDL version 3.2) to the public to promote better industry practices for security in software. It is clear that their ability to improve the software vulnerabilities in their products has been significantly enhanced in recent years.
In contrast, Acme has found that several other large software firms are offering a posture of resistance when confronted with a request to demonstrate security controls in their development process.
Software Vendors Give Us What We Want but Not What We Need
Unfortunately, companies and consumers have never really specified a preference software that is free from security vulnerabilities, nor have consumer buying habits indicated that this is crucial to success. The large majority of software Requests For Proposals (RFPs) released by organizations do not specify the identification of controls in the software development process that identify and remediate security flaws. In fact, researchers—rather than actual consumers—identify most security vulnerabilities.
Software vendors have responded by consistently releasing software patches that address known vulnerabilities as quickly as they can. Acme realizes that to blame software vendors for the growing level of security vulnerabilities in commercial software products today is not all that effective at yielding better results and is somewhat off the mark. Software vendors have largely given commercial customers what they have asked for: ever-increasing functionality delivered rapidly on open-standards-based platforms. Their business models reflect the churn for new functionality delivered rapidly to the market, and those that have mastered this process meet both consumer and Wall Street expectations.
Acme is attempting to alter that churning and inject security requirements into the software evaluation criteria for commercial software purchases. Will other firms follow suit? That remains to be seen. Will consumers adjust their behaviors? Perhaps they already have. We see a growing demand for software products that deliver a higher level of security for consumers.
Acme realizes that changing consumer behavior is well beyond the scope of reducing security risks at our own site. We focus on enforcing security requirements during our own software procurement. The success of this aspect of Acme’s security program will take years to evaluate.
Luckily, Acme’s commitment to improving the world of software development is mirrored in an entirely different and larger scale. There is a large organization that procures billions of dollars of software annually and has in recent years adjusted its procurement process for software and hardware to include requirements for security settings that it specifies. This is, of course, the U.S. federal government, which in early 2006 successfully negotiated a set of specific security settings that applies to all purchases of Win/Tel workstations configured with Microsoft Windows and other Microsoft software.
In 2005, the Air Force CIO successfully implemented security configuration standards after obtaining an agreement from Microsoft to configure workstations and Windows with the desired settings and then to test software patches on similarly configured workstations prior to releasing them. This program was so successful that the U.S. government implemented the same configuration requirements for all of its agencies. As an example, the Department of Agriculture specified security requirements in the End User Workstation Standards published on December 12, 2007. This is a department-wide standard established for the consistent application of security controls, and drives the procurement of all workstations. The standard includes such security requirements as:
Patch management
Anti-virus and anti-spyware software
Operating system security patches
Vulnerability scanning
Disk encryption
Multifactor authentication
There is light at the end of the tunnel for those firms that embrace a comprehensive software security program. Acme has gone over five consecutive months without any high-risk vulnerabilities in all of the projects supported by its 600+ developers. Acme has also completed analysis indicating that it realizes an 11% savings in productivity by eliminating security vulnerabilities earlier in the lifecycle, saving costly remediation work after the code is in production. Acme’s software security program reduces risk and improves productivity, enabling developers to focus on higher value activities. Every organization, both large and small, that procures software has an opportunity to apply the same type of logic to the procurement process and ask vendors to demonstrate compliance with security requirements through the three common types of vulnerability detection controls (static, dynamic, and manual). If we all make the demonstration of compliance to these types of controls a requirement in the procurement process, the software vendors, integrators, and outsourcers will respond over time by investing in these controls and sharing results with prospective customers, in order to demonstrate a competitive advantage over other firms that are less proactive. It’s a beautiful thing!