McGraw advocated for enforcing at coding time, and his company’s tool, SecureAssist, does just that. “Klocwork [and tools like it], I think those are fantastic tools. Anything that helps you pay attention to security while you’re coding is good. Coverity and Veracode, those are used at compile or after compile time,” he said.
McGraw advocated for the use of “SecureAssist and other tools that are available in the IDE, and that notice bugs while you’re typing them and say ‘Hey don’t do it that way, do it this way.’ The closer you can get to the developer’s keyboard, the better off we are from a security perspective.”
Art Dahnert, product manager for security at Klocwork, said that enforcing good design and development practices when developers are coding can help keep the security flaws from ever making it into production.
“The whole key is that it’s a process,” he said. “The secure software development life cycle is a process. Developers write code, they check it in, and it gets built into product. Along the way, we’ve developed techniques to make that process faster and less error-prone.
“That’s where we want to jump in and help developers to not implement errors into the code. Within the IDE we may go faster and not find everything the developer is working on because we want to be unobtrusive. But when they check it in and compile, we can check it. Before we’ve gotten into the integration build and the final version, we’ve got development errors for that developer so he can see the problem at check-in time.”
But the key to helping developers when they’re writing code isn’t to lock them out of their favorite IDE features and stop their work every time there’s an issue. Rather, the key, said Dahnert, is to be unobtrusive. “Developers have to be educated. A lot of developers now out there are so focused on schedules and time constraints that they don’t get the actual training they need for security,” he said.
“You’ve got to make it as unobtrusive as possible. It has to be fast, because developers need fast machines. Those two things are the crux of it: Make it fast and get it out of the way. You also have to take advantage of the actual IDE itself: Visual Studio has the little red squiggles, and Klocwork will use that API and that visual reference to say there’s a problem.”
Pushing security responsibility onto your development team is certainly a great way to get them involved in the security process, but there are many other practices that can help to minimize your team’s exposure to risk via software exploitation.
One tactic is to hold core competency in all of the software packages that are critical to your infrastructure. Dave Miller, chief security officer of Covisint, said that his company has been able to build its systems from the ground up since 2000, meaning there’s little legacy software or hardware that needs to be supported. This helps to minimize risk for the OEM supply-chain connection company.