Security in software needs to be Job One

Published: January 26th, 2017

- Alex Handy

It’s a scenario right out of a Bond movie. James is charging down a hallway, parkouring over bad guys, shooting everyone he sees in a mad dash to get to the glowing computer screen in a dark basement under the villain’s hideout. Inside that computer: stolen information. Maybe it’s a list of other agents. Maybe it’s nuclear secrets. Or maybe it’s a trove of private e-mails.

If there were any doubt left about the importance of cybersecurity, it most certainly was washed away after the United States’ 2016 election. Hacked e-mail servers and Russian cyber-meddling are still being discussed even after the dust has settled. A topic few people understand or can even describe properly is, perhaps, the most important and individually threatening matter of our day.

Building so bleak a picture is not bellicose or melodramatic; it is in fact a difficult situation to overstate. From wild IoT devices being harnessed and bandied like so many jumpsuited henchmen, and daily, even hourly attacks on almost every potentially vulnerable surface exposed to the Internet, it’s a scary time to be a software developer.

It’s positively Machiavellian, the possible vectors of attack in our modern, target-rich environment. Christopher Walken’s Bond villain Max Zorin just wanted to blow the entire Silicon Valley into the Pacific Ocean so he could corner the market on chips. It never even occurred to him to use his computer empire to take over the world in a far subtler way.

In truth, the era of SPECTRE and uniquely festooned bodyguards climbing buildings to steal documents are over. We’re now in the era of Alan Cumming’s Boris from “GoldenEye.” In our modern dystopia, Target’s millions of customers are taken by a mastermind, half the Internet is kicked offline by zombie IoT devices, and an entire political party has its body of e-mails dumped into the public domain at the behest of a foreign power.

Regardless of which party is in power, there have been and will continue to be governmental pressures to deal with the rising tide of computer security threats. The ever-looming danger on the horizon is one of legislation enacted without a full understanding of the problem, such as has happened with the Computer Fraud and Abuse Act, a federal law that can make it a crime, in certain cases, to violate a terms of service agreement.

The Federal Trade Commission has, for some time, been putting the screws to router manufacturers that make dishonest claims about their security offerings. Just last month, the FTC set its sights on D-Link as a vendor not supporting its old devices with software patches and security updates. In February 2016, the FTC settled with Asus over router insecurity, as well.

Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said, “Hackers are increasingly targeting consumer routers and IP cameras—and the consequences for consumers can include device compromise and exposure of their sensitive personal information. When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

It’s a difficult climate, and one that is rife for liability, potential legislation, and, no matter what, bad publicity. Anything and anyone touching your software development process needs to be thinking about security first at all times. Otherwise your entire company could be on the wrong side of a very bad cyber threat.

Compounding the issue is the perception that security in the software development life cycle is a burden; security is often seen as a trade-off with velocity. It’s enough to paralyze a development team with scheduling nightmares.

There is hope, however, in the form of DevOps. As the DevOps and container revolutions continue to spread through enterprises, Tim Jarrett, senior director at Veracode, sees a window for change.

“What a lot of security folks are seeing is that this is an unparalleled opportunity to say, ‘As long as you’re automating your software development process anyway, let’s take the time to automate the security testing in there as well,’” he said. “They’re saying this is our change moment, this is where we can take the opportunity to build testing right into that process so it’s not an additional tax on the development team.”

That’s not just confined to technology industries, either. Jarrett said that over the course of 2016, his company saw its products sell into 34 industries, up from 25 the year before. The driver: an expanding understanding that enterprise applications, no matter the vertical, are at risk.

“The growth is all over the map, and in a bunch of places you wouldn’t expect,” he said. “We’re seeing retail, which have traditionally focused their defenses against attacks at the endpoints and network layer, are starting to look seriously at their application security as well.”

Whole hog or just the bacon?
The real problem with baking security into a development process is that it really has to be Job One—so much so that, often, the vital practices and procedures have to be included in the development process from the get-go.

That’s not always an option for legacy development processes, said Jarrett. “If you’re a Netflix or someone starting with very little technical debt, you can take an approach where you are nuking servers in production periodically to see what happens,” he joked.

Legacy applications don’t have the luxury of having been built with security in mind from Day One, however. No matter the application, though, Jarrett said there is one major factor that determines success or failure.

“Most of where the approaches we’ve seen either succeed or fail is in getting developers bought in,” he said. “It’s about convincing them that this is something they need to spend time on. A couple things come together for ingredients of that. One is providing them with a way of measuring that, and to tell them what the extent of the problems are. Some of that is tooling, but also part is having people who can tell them what the tools are doing.”

Chip Morningstar has been grappling with this problem for almost 40 years. As a young developer, he and Randy Farmer built the first graphical massively multiplayer game, Habitat, in 1986 for the Commodore 64 and QLink online service. More recently, he was principal architect at PayPal.

In the 1990s, however, Morningstar and his gang of MMO pioneers attempted to build a freely programmable online world at a company called Electric Communities. While the company never succeeded, the security technology developed there by Morningstar and Mark S. Miller (currently a research scientist at Google and a member of the ECMAScript Committee) is still relevant. Miller even designed a new programming language for the company’s work: E.

Morningstar said that the core problem at Electric Communities is still a core problem for most enterprise environments today. “How do I control what an object can do? You have your piece of the virtual world—your fantasy world with people slaying monsters—and over here you have the virtual stock market where people are buying and trading on NASDAQ for real dollars,” he said.

“How do you prevent someone from taking the axe into the stock market and taking someone’s portfolio? That was the core problem Electric Communities solved. E was an outgrowth of attempting to solve those problems.”

Using E and some strict software development discipline, Morningstar said that Electric Communities reaped tremendous benefits outside of just security. “We built all this highly security-conscious software, architectural patterns and coding practices with the idea we were building this ultimately secure virtual world server. That turns out to be a crappy business, so we pivoted. But we had all this stuff and all these habits of how to code and write software that was highly secure, and we discovered that even though in some of our new business undertakings we weren’t nearly as concerned about security, we got this enormous payoff in reliability and software quality and things like how long it took to get something working properly and how many bugs you had,” he said.

For modern enterprise Java developers, Joe-E, a subset of Java designed to foster the same security principles as E, is still available.

Morningstar is also working with Miller to bring this type of security into JavaScript. Together, they have built and proposed the Frozen Realms project, an API designed to enable developers to build JavaScript applications in a far more secure manner than can be implemented today. But it requires some changes to the language at the ECMAScript level.

Underneath this language layer, however, is an even more dangerous problem for the world of software development and corporate computing: the danger of a unified architecture. Morningstar said that the adherence to the Unix model of operating systems has doomed the world to a massive, ongoing security problem.

“It’s not that Unix is bad; it’s just that it is a monocrop,” said Morningstar. “It has certain assumptions baked in at the core that people don’t realize are design choices. They’ll argue Linux versus BSD versus Windows, when they’re all the same thing. Caring about OS details is important in a day-to-day way, but the fundamentals that underlie it are all the same. I would like to see at least a reawakening of the awareness that there are other possibilities.”

Thinginess
When it comes to building software securely, there are some basics that can be instilled from the management layer to take care of developer management. One of the keys to succeeding with this level of management, said Veracode’s Jarrett, is figuring out when policy should lead, and when it should be left up to the developers.

That means “making sure there’s some sort of common agreement on what the minimum bar is. In the organizations we’ve seen this be most effective, that’s generally some policy that says ‘Thou shalt fix these, these, and these types of issues,’ and the rest is left up to the team. If you have that one central policy from the top, you’re not having to negotiate that every time,” said Jarrett.

Another big piece of the security development puzzle is making sure the developers have access to the information they need. “We’ve seen success from organizations that turn developers into security champions and sending them to training. They can be the voice inside for security,” said Jarrett.

When it comes to the Internet of Things, however, the problem isn’t necessarily one of insecure code being shipped. It’s that those things will become insecure over time and never be patched when a vulnerability is found. This is the crux of the FTC’s complaints against consumer router makers.

And it’s a problem Brian Behlendorf is trying to solve through his work as the executive director of the HyperLedger Project at the Linux Foundation. The project seeks to utilize blockchain technology, such as the kind behind BitCoin, to solve authentication problems in the world of IoT devices.

In his view, the problem of rogue, unsupported devices in the wild is not something that will solve itself among vendors, nor will it be solved by the users. Instead, he envisions one of two scenarios: the first would involve legislation, and the second would involve liability and insurance.

“The Internet has benefited from trustless innovation,” said Behlendorf. “Suddenly requiring certification to be on a network becomes an easily abused tool to control content and what kind of innovation occurs. On the other hand, I think people who own networks should be able to know what’s on those networks, and set policies for those networks. There shouldn’t be one certifier; we should have more than one, and even insurance policies. One for the home you get if you only use devices certified by some set of arbiters, and another insurance if you want to run anything.

“If we always have the right to modify the software running on cars, watches, phones, IP cameras, etc., we can have a culture that makes it commonplace and acceptable to be updating this software. [For device owners] the owners can abdicate responsibility. They can say it’s the company’s fault. If you said there are penalties for dumping botnet traffic onto the network, and you can fix that with patches and alternative firmwares, then we have a path out of this.”

Article Tags

blockchains, E, ECMAScript, Java, Joe-E, programming languages, security, Unix

About Alex Handy

Alex Handy is the Senior Editor of Software Development Times.

View all posts by Alex Handy

Cookie	Duration	Description
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_S6PB8V57DG	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_846073_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
WMF-Last-Access	1 month 14 hours 26 minutes	This cookie is used to calculate unique devices accessing the website.

Cookie	Duration	Description
__Host-GAPS	2 years	This cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_pxhd	session	Used by Zoominfo to enhance customer data.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
__Secure-YEC	1 year 1 month	No description
_heatmaps_g2g_100754890	10 minutes	No description
_techvalidate_session	session	No description
cf_7166_id	20 years	No description
cf_7166_person_last_update	session	No description
f5avraaaaaaaaaaaaaaaa_session_	session	No description available.
GoogleAdServingTest	session	No description
Gyazo_cfwoker	7 years 2 months 17 days 7 hours	No description
incap_ses_451_2783402	session	No description
incap_ses_769_2783402	session	No description
loglevel	never	No description available.
m	2 years	No description available.
nlbi_2783402	session	No description
prism_252377639	1 month	No description
TS011605d9	session	No description
ustream-guest	session	No description available.
visid_incap_2783402	1 year	No description
xtc	1 year 1 month	No description

AI

AI and Software Development

Observability

Guide to Observability

CI/CD

A guide to CI/CD

Cloud Native

Cloud Native Content

Data

A Guide to Data

Test

Automation

Mobile

Mobile Testing

API

Sponsored by Parasoft

Performance

Load & Performance Testing

DevSecOps

A Guide to DevSecOps

Enterprise Security

A Guide to Security

Supply Chain Security

Supply Chain Security

Dev Manager

Dev Managers Content

Agile

A Guide To Agile

Value Stream

A Guide To Value Stream

Productivity

A Guide To Productivity

DevOps

DevOps Content

Microservices

A Guide to MicroServices

AI

AI and Software Development

Value Stream Management

A Guide To Value Stream

Security in software needs to be Job One

Article Tags

Subscribe to SDTimes

About Alex Handy

Related Articles

Red Hat Trusted Software Supply Chain gets updated with three new offerings

Report: Java is the language that’s most prone to third-party vulnerabilities

Looking back on 15 years of Oracle Java and what it means for the ecosystem

Implement a good secrets management practice to reduce your security risk