Wednesday, 17 March 2010

Security Digest #7

Onward March

An interesting and varied time in the security arena. While the recent highlight for me has to be the EoP card game, which I hope will soon be extended to the EoP dungeon and maybe EoP Assassin on the 360, there are undeniably other developments of equal merit afoot...

The State of App Security

Our first report from 2010's American RSA Conference in San Francisco came from Kelly Jackson Higgins, and contained a couple of shockers regarding the current state of application security in our industry.

The big headline: almost 60% of all applications tested during the past year by Veracode, the app security company, failed in their first round of testing to achieve a successful rating. Remember, this is software written by companies with at least enough security focus to submit their output for independent testing.

Also with a bullet: almost 90% of "internally developed apps" contained vulnerabilities in the SANS Top 25 and OWASP Top 10 lists of most common programming errors. XSS and SQL Injection still rule.

On the bright side, open-source is less risky than conventional wisdom suggests, and typically takes a lot less time (~30 days) than commercial or internal code to fix.

Veracode's full report is here.

Fortify Assures

Also at RSA USA 2010, software security assurance consultants Fortify (SDL page) published their new white paper, whose title says it all: Optimizing the Microsoft SDL for Secure Development: Fortify Solutions to strengthen and streamline a Microsoft SDL Implementation.

Many expert players are now taking this approach, enumerating the correspondence between their own inhouse offerings, and the Simplified SDL Implementation. And that's no bad thing; apart from serving the marketing requirements of both Microsoft and their SDL Pro Network Tools members, this focus has also given the security community a new vocabulary, and a readily-grasped framework, in which to express and process its concerns.

In other words, sometimes we do have to read blatant multipage advertisements like these!

Office 2007 and IE8 Tell Their SDL Tales

Microsoft apps take a lot of stick, don't they? You'd hardly know from looking at the popular press, that their output is far and away some of the very best, in terms of quality of security and privacy, available in any market - and not just the commercial, closed-source desktop money spinners. The security experts who shepherded two of these products, Office 2007 and IE8, through SDL-based development and other security processes, recently broke radio silence in order to elucidate the rest of us on their experience of using SDL throughout formative development.

Now the SDL has been in use for six years at Microsoft, improving software security very effectively; these papers will be useful references as we start to consider the implementation of the SDL and Agile-SDL in our own software development lifecycle.

Office 2007 was the first Office release based upon the SDL process. The related paper summarizes how the SDL process, and additional security work, dramatically improved the security of the software. Read "How the Security Development Lifecycle Helped Improve the Security of the 2007 Microsoft Office System" here, and "Internet Explorer 8 and the Security Development Lifecycle" here (both ~400KB docx).

Client and Cloud Security

Lastly this month, a couple of Silverlight embeddedments, for your security edification.

Get Microsoft Silverlight

Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft Trustworthy Computing Group, discusses how the SDL can help improve client and cloud security.

SDL for Agile

Get Microsoft Silverlight

Bryan Sullivan, Senior Security Program Manager, Microsoft SDL Team, talks about the SDL for Agile addendum, asking: does the widely used Agile development methodology produce secure deliverables?

That's all for today. Mine's a Guinness.

No comments:

Post a Comment