It’s no secret that computer security is a difficult area of expertise. At the annual RSA Conference in San Francisco this week, attendees were treated to a host of solutions to solve their security woes. As usual, however, software development is not the focus.
Robert Griffin, chief security architect at RSA, agreed that developing secure software is a difficult order, and said that typically features trump security in the software development life cycle.
“The pressures I felt in the 80s and 90s looking for when code would cause problems; that pressure doesn’t seem to be there at the moment,” he said. “The model built by Google and Microsoft has supplanted so much that it’s hard to think about security. There needs to be a new methodology that reinserts security models into the rapid development life cycle.”
Griffin, who has been promoted to the point where he no longer has to write software, said that back in his days of being a coder, his team used three tools to ensure software security.
“One was code review,” he said. “Clearly we did that as a way of looking for obvious and less obvious errors. Second was vulnerability scanners. In the early days in the 90s especially, they searched for known coding errors. Third—although it was the hardest goal for us—was to find errors in the design phase. That was the hardest thing. You could find some errors in terms of assumptions, in terms of approach. The real errors occur as you were getting to the coding. It was so difficult to really identify vulnerabilities and significant issues at the design phase.”
When asked about the current state of OpenSSL, Griffin stated that he felt it was difficult to build secure software through an open-source process.
“It is very tough to deal with security issues when the focus is on the functionality,” said Griffin. “For the reference implementation around key management (for OpenSSL), it was much harder to drive security properties of that, even though it was a security protocol. I think there was a shift in the OpenSSL community after the RSA patents. Due to the sense that this supplanted that patents, there was a rush to move to that software without the level of inspection needed. Customers did rigorous reviews of our SSL code. I don’t know of customers who did that with OpenSSL.”
New tools, old problems
Many luminaries spoke at the show on myriad security topics, luminaries like Sean Penn. It wasn’t all glitz and glamor, however. Whitfield Diffie, recent winner of a Turing Award, was also on hand. Encryption was a major topic of discussion, thanks to the current conflict between Apple and the FBI.
The conference offered hundreds of security tools for attendees to evaluate, but only a few that were focused on software development. It has grown considerably over time, showing proof positive that enterprises are looking for security solutions—and many different types, as well. At the show, vendors displayed tools, platforms and services for identity management, device management, threat detection, threat assessment, threat elimination, penetration testing, firewalling, proxying, networking, and encryption. Some even sold custom hardware to solve these problems.
Still, there were some software development solutions on hand, such as those from Veracode. The company demonstrated its SaaS vulnerability scanner, which, over the past year, has irritated Oracle, which has asked customers not to pass Oracle binaries through Veracode and other binary scanners. Oracle claimed these devices bring up false positives for vulnerable code in their binaries, specifically.
Rogue Wave was at RSA to show off Klocwork 2016. This new version enables security testing within the build process, alongside Jenkins. This Continuous Integrated-enabled version of the popular secure code-development monitoring in-IDE tool will bring security testing into the nightly cycle, rather than relying on developers to be compliant as they are writing code.
Palamida demonstrated its code scanner, which detects open-source code. While this may not have been important to folks outside the legal department, with the current state of OpenSSL and with vulnerabilities popping up in other open-source codebases, it could help developers control their teams’ urges to crib code snippets.
While many, many companies on the show floor were talking about how they use machine learning to filter packets or monitor logs, there was only one company on the floor that seemed to have the infrastructure software to be able to support such a system. X15 Software has been working in the Hadoop world for five years, and it offers a set of tools for building security-monitoring systems within Hadoop. Customers run their own instance of Hadoop, then layer the X15 software on top to help them aggregate and analyze log files.