The security landscape has been evolving along with technology. At the same time, as businesses embraced the cloud and new software-development technologies, exploit writers and black-hat hackers changed their tactics.
Tim Rains, director of product management at Microsoft for Trustworthy Computing, spoke at the Security Development Conference in San Francisco in mid-May, saying that Microsoft’s own security practices were molded out of the need to quickly and accountably track vulnerabilities from disclosure to patching. He said that the processes Microsoft adapted over years of internal security work are what make up SDL now.
“At Microsoft, the goals are pretty simple. One: reduce the number of these vulnerabilities, and two: reduce the severity of the vulnerabilities left in products after they ship,” said Rains. “As long as humans make software, there’ll be mistakes. For those vulnerabilities left over, let’s make them really, really hard to exploit. We’ve been trying to share more and more of this over time. SDL is a methodology for creating software, and a tool set to support that methodology.”
Rains said that, when it comes to security, building a process is key. But just having a process is not enough, he added. What’s more important is having a process around which tools can be built. Thus, he said, Microsoft has been providing some tooling around SDL, tools that don’t need to be intrusive or overly complex, however.
“In the newest version of Visual Studio, they have an SDL switch. In previous versions of the compiler, you’d have to know which switches to check. They’ve made it really easy now, where it’s a single checkbox. You check it, and you’ll get all the goodness that goes into these safety mitigations,” said Rains.
Other tools that have become popular for securing software applications are code vulnerability scanners and in-IDE standards enforcers. Companies like Coverity, HP, Klocwork and Veracode all offer tools that can be used to spot vulnerabilities in software, but they all have a classic Achilles’ heel: the false positive.
False positives mean bringing humans into the process to identify which vulnerabilities that are detected aren’t actually critical bugs, but bringing people into the process inherently slows it down. That’s why McCabe IQ takes a step up the ladder to offer a more holistic form of code scanning.
David Belhumeur, CEO of McCabe Software, said that McCabe IQ can be used to determine which detected vulnerabilities are actually important. “You’ve identified these hundreds of thousands of vulnerabilities, now what do we do?” he said. “From a security perspective, we analyze the impact and the context of those vulnerabilities. It’s a way to prioritize and help you with that end of things. You’re saving money and saving time by focusing on the most critical vulnerabilities.
“In testing, we analyze security testing. Code coverage is what people know us for, but we do the analysis of the vulnerable code. An organization that’s sophisticated is going to do some test coverage on that. We go down to the line coverage, but also we are known for complexity analysis. We do risk analysis. You want to make sure those vulnerable areas of the code can be analyzed.”
Belhumeur said that with some security code-scanning tools, false-positive rates can be “up to 50%. That’s just the nature of the beast. Where we help with that is that if you can target that manual review and focus on those critical areas, and see these vulnerabilities in context,” you can better respond to a crisis, he said.