Automation, authentication and research are only pieces of the “reduction of vulnerability” pie. A team mentality and cohesion across the software supply chain play a big part as well, according to a report released June 14 by non-profit organization Software Assurance Forum for Excellence in Code (SAFECode).
The report, “An Overview of Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain,” discusses different approaches organizations can take to ensure complete software integrity, such as contractual, technical and authenticity controls.
Bola Rotibi, research director at Creative Intellectual Consulting, pointed out: “The most important thing is not a tool or a technological approach, although these things are vital. It’s really more about an attitude, awareness and recognition [of a vulnerability] approach that should be applied before best practices.”
SAFECode’s members (Adobe, EMC, Juniper, Microsoft, Nokia, SAP and Symantec) naturally agreed with the paper’s premise, saying, “Focusing on the place where software is developed is less useful for improving security than focusing on the process by which software is developed and tested.” Focusing on the process helps ensure vendors, suppliers and employees alike are all on the same page, the report said.
Despite plenty of ways to assess and mitigate vulnerabilities, Rotibi said that, at the end of the day, there needs to be a concerted effort to look at where vulnerabilities will happen, to have the skills to recognize them, and the humility to admit a failure if a vulnerability does happen. Afterwards, that information also needs to be documented and passed along to ensure the vulnerability will be less likely to happen again, she added.
Other approaches, such as automating certain processes and reducing the amount of actual people touching the code, can certainly minimize risks, but this approach is not always entirely feasible either, said Michael Coté, an industry analyst with RedMonk. “If you buy into the trend of a lot more systems development going on,” which typically requires more people touching the code, then that kind of approach would be too difficult and time consuming to implement, he added.
Despite previous developments in software integrity, the space is still evolving. Recent developments include IBM’s launch of new security solutions called “secure by design,” Rotibi said. This helps organizations build security into the initial design of applications rather than leaving it as an afterthought, she added.
Other organizations, such as Black Duck, a provider of intellectual property solutions, are involved with setting standards for the software supply chain. Co-chairing a group called the Software Package Data Exchange, the company is working toward setting policies and controls for the sharing of software packages, including licensing for open-source software, said Peter Vescuso, Black Duck’s senior vice president of marketing and business development.
These initiatives and others are the next steps toward greater software integrity. While SAFECode pointed out future directions that deserve further study and industry collaboration, such as authentic software at runtime and more comprehensive data on today’s practices and controls, Rotibi said that these are best practices to be implemented depending on what you are mitigating. “Really, it’s about getting everyone together on the same page with goals and policies,” she said.