Today, we continue our Meet SAFECode series with an interview with Symantec’s Edward Bonver. Edward not only works with our Technical Leadership Council, but also serves on SAFECode’s Board of Directors. He has played a formative role in projects ranging from our Security Engineering Training by SAFECode Program to our Fundamental Practices for Secure Software Development paper.

Interview with Edward Bonver, Technical Director, Product Security Group, Office of the CTO, Symantec Corporation

Q. From the DNS flaw to Heartbleed, we’re seeing some foundational flaws emerge.  What would you see as another area ripe for exposure and how do we find/fix these?

When you look at Heartbleed in particular, it speaks to the high, and increasing, levels of Open Source adoption.  The word on the street is, “why develop a complex piece of code, when instead you can borrow code for free that’s already been written (and supposedly reviewed by the open source community)?” As more and more companies – particularly high profile ones – adopt and implement Open Source technologies, the attraction by criminals to find and exploit vulnerabilities increases based on the potential gains. And as with Heartbleed, the most attractive Open Source components to target are the core technology pieces of code (e.g., operating systems, network communications libraries, etc.) that act as a gateway to any and all connected systems. Heartbleed sent ripples through the software community by affecting two thirds of the machines connected to the Internet.

Even more unsettling is the fact that exploits appeared in the wild almost instantaneously after Heartbleed information became public. With this in mind, my recommendations are in two main areas.

First, companies must pay closer attention to any piece of code that they do not develop themselves, but end up embedding into their products (be it from open source or other third-party code).  Whether bought or borrowed, any code must be put through due diligence within the organization, evaluating it to ensure that it fits that organization’s specific business and quality needs. This can be better addressed via a secure development process. Coincidently, SAFECode has been trying to address this issue in its Fundamental Practices for Secure Software Development, 2nd edition and Framework for Software Supply Chain Integrity publications and is planning to continue its work in this area through future publications and blog posts on software security assessment.

Second, give back. Open Source has reached a level of acceptance that has converted traditionally  closed source companies into fervent users (in the industry it is wildly acceptable to incorporate open source into new product offerings, hence the use of open source software has skyrocketed in the past few years). But they also need to be as fervent in participating in the Open Source community to enable continuous improvement within the whole ecosystem. Of course there are many ways one could participate in that community (financially, contribute development resources, contribute code, documentation, etc.)

Q. With regards to Agile, DevOps, etc. what is the organizational and development trend that offers the most impact and has the most staying power?

Before answering with regards to specific approaches, it’s helpful to understand why they exist and why they are gaining interest and acceptance. The need for a new development approach – and it is an absolute need – is because the speed of development and the dynamic and participatory nature of today’s applications require more continuous and open communications between all stakeholders –developers, QA, IT operations teams, lines of business and customers.

Traditional waterfall development processes took place in silos, where generally developers had no involvement or visibility into the planning stages, QA had no involvement in the development stages, ops teams lived in their own isolated world; it was an insulated, linear process that had an extremely inefficient process for oversight.

New disciplines like DevOps (which builds upon strengths of Agile development process) change that by shortening the feedback loop, and thus instilling a more collaborative and community oriented process that encourages and rewards continuous oversight and improvement, ultimately resulting in a better product. This requires more than a change in process – it requires a cultural change.

SAFECode specifically undertook a project to look at Agile practices among its own members and issued guidance on best practices for security in Agile. I believe that due to its multiple benefits Agile (and DevOps) approach will slowly but surely overtake traditional processes – we can already observe the popularity of both is on the rise, which bodes very well for the industry. Such collaborative approaches will drive greater efficiencies, as they hold the promise of leveling the playing field – eventually whichever one integrates communications better will be the ultimate victor. That day also can’t come quickly enough, since the black-hat community has historically been much better than the software industry at collaboration and sharing within its own closed community.

Q. In such a technology dependent and obsessed world, why does there seem to be such a gap in security engineering education and training?

That is one of the most active and pressing questions facing the security community right now. I think that there are two main problems that need to be addressed.

The first is the “Generation Gap.” In University environments, a lot of the academic staff is “last generation-focused” with some experience in security technologies such as firewalls, intrusion detection, etc. Few professors are trained in hardcore secure software development and weaving software security principles into all aspects of computer and information sciences, in particular into the software engineering discipline.

But change also has to come from outside, and the other problem that I see is that the enterprise software industry (not just the security industry) is not exerting sufficient pressure on universities to precipitate change. Industry needs to demand more, and seriously reconsider hiring criteria.  Additionally, the industry also needs to take an active role in defining those criteria and helping shape a curriculum that supports them. As I said earlier, communication and community participation are critical to changing the status quo.

Though, I have to note that I have observed the academic community has been slowly turning around in the past few years, and there are signs that universities are starting to incorporate various software security themes into their curriculum.

Q. What first drove you to software development / technology / security?

Software development and the ability to create applications that responded to your commands have fascinated me since childhood. As a child, my first experience was with programmable calculators when I was nine or ten years old, and from that experience there was no doubt about what I wanted to do.  From there I started early in my career designing operating systems at Digital Equipment Corporation.  From there I moved into networking software, and that led me into security.

I think I had developed the urge to try to change the world for the better very early on, and entering the high tech field seemed a natural progression toward that goal. I’ve never forgotten that goal – I believe I have to continuously keep moving in that direction, and these are the principles I’m trying to pass on to my children.

Q. I imagine your day job is pretty busy – what motivates you to spend extra time volunteering with SAFECode?

The work we do at SAFECode is extremely important, because organizations like SAFECode drive the industry forward. I continue to make the point because it’s so important, that improving communications in the white-hat community and industry more generally, can go a long way toward leveling the playing field with those who seek to steal and damage.

In my role at Symantec, I act as an internal security consultant to all of the product teams. This gives me a global view across many different technologies and development teams. That perspective is immediately translatable to the work at SAFECode. It allows me to contribute more to the efforts there, but also gives me the benefit of drawing from others’ experiences to augment my contributions within my own company. We (SAFECode member organizations) are all working on the same problems, facing very similar challenges – SAFECode is an awesome forum for all of us to not increase efficiency of our own processes and to improve security (and more generally, quality) of our respective software offerings, but also to share that information with the rest of software industry, thus moving it forward!