If it's worth coding, it's worth securing
Cyber security: Everyone's responsibility. Photo: Rob Homer
"Do what you can to secure your part of cyberspace because that makes us all better."
So says Howard Schmidt, former cyber tsar to US President Barack Obama, now a cyber security consultant and board member of the Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organisation aimed at making the internet safer.
As cyber security, or the lack thereof, reaches global levels of awareness driven by financially-motivated hacking, hacktivism, country-sponsored espionage and market pressure to release new products quickly, Schmidt is asking software writers, application developers and the organisations buying from them to adhere to a relatively new security standard for software development, ISO 27034.
The 18-month old standard is being pushed by large software makers in the US, including Microsoft, Adobe, Cisco and SafeCODE, as a way to ensure security is written into computer code at the initial stages, not as an afterthought.
They say following the standard is more responsible and more flexible than any government-imposed set of static rules, and is better for business in the long run.
"Governments have a tendency to try to solve problems with regulation and policy that a lot of times are not grounded in reality. And government speed is not internet speed. Governments don't need to be [regulating] this because industry is already doing it," said Schmidt, now a partner at Ridge Schmidt Cyber.
Speaking to some 300 developers at the Secure Development Conference in San Francisco on Tuesday, Schmidt pressed the need for the private sector to produce more secure software that will in turn reduce the opportunity for criminals to exploit weaknesses and gain access to systems and information.
The theory goes that the need for fast release of software applications is outstripping developers' capacity to identify and fix bugs, or vulnerabilities, in time for deployment. Something Scott Charney, vice president Trustworthy Computing at Microsoft, said the company started reversing in 2003 with the launch of the division and in 2004 with the adoption of its Software Development Lifecycle (SDL), which it follows to make its own products. SDL is being hailed as a practical example of the security standard.
"Over time you end up with happier customers and a competitive advantage. When businesses realise that doing these things are good for business, they'll realise it's not a tax," Charney said.
With so much code being written by individuals and small-shop software developers around the world, in addition to the big players, Schmidt said, everyone now has the responsibility to write secure code from the start to reduce the number of vulnerable applications connected to the internet.
"When you start looking at the landscape of developers out there – tens of thousands of developers, particularly in mobile and people making really, really cool apps – am I suggesting they [adopt] the ISO? Yes. You don't have to be a multinational billion-dollar company to adhere to it."
Schmidt, Charney and Steve Lipner, a 40-year veteran of computer security and now partner and director of security software at Microsoft, urged governments and companies around the world to require the compliance in their procurement contracts.
But the trio faces an uphill battle to convince developers.
According to a study conducted by comScore in November, only 37 per cent of IT professionals said their organisations built products and services with security in mind. Sixty-one per cent admitted not using pre-existing risk mitigation tools in their development process.
They said they don't get "enough management support; management wants to get product out or the service on the air; that secure development is not viewed as a priority; they don't know how and that they are afraid if they attempt to do secure development it will raise their cost or delay time to market", said Lipner.
Simon Dennis, principal consultant at Verizon Enterprise Solutions, said adoption of the standard was "an insurance policy".
"It's not necessarily a tangible product, but it may mean you don't become front page news," Dennis said referring to data breaches that become public. "People never think it will happen to them."
Peter Bauer, product development manager at US financial services firm Wolters Kluer, said the cost of implementing secure development was less than that required to fix vulnerabilities.
"It costs $4000 to $7000 to fix a critical security flaw once it's in production – saving that cost alone saves a ton of money. Plus it saves your company's reputation."
Schmidt said developers should not see the standard as additional red tape, saying there was little additional cost to compliance because it was built into the process.
"The weak link in the chain will always be those that are not really compliant."
Charney said developers shouldn't see it as a tax on innovation or on the creation of new apps. He cited the example of Microsoft Office, which had the number of exploitable vulnerabilities decrease from 116 in 2003, to seven in 2007 after two update cycles built using SDL.
"The thing about this standard: it was done by people who do this for a living. I think our company has shown that this is a cost effective way to have a real impact in protecting users on the internet," Charney said.
Charney, whose job has involved lobbying the US government and industry on issues of computer security for years, said there was a global need for more rigour around software development which could be helped by buyers demanding compliance.
"Let's say to vendors through our security and development contracts 'we require' ISO 27034 compliance. It's a healthy way to get governments to use their market forces. Governments are the largest purchasers of IT products because of their size, now they can use their procurement powers to ask vendors to do something that is definable and verifiable," he said.
"Governments and all purchasers of IT should always ask developers what are you doing to ensure that your development process focuses on security?"
On the subject of training, SAFECode launched a series of free online courses on Tuesday. Schmidt said it would help developers of all sizes learn about security and how to implement it.
The writer travelled to the event as a guest of Microsoft.