By Eric Baize, Chairman, SAFECode
Software security is less and less about technology and more and more about culture.
I would contend that today, for the most part, we know what it takes to build secure software. What we are struggling with is how to make secure software a reality on a large scale. This is where culture comes in and why culture – a culture of software security — is so vitally important today.
It is important because culture drives behavior at scale. SAFECode and all of us in the industry have an equally important role to play in putting security at the center of the technology culture so that we can scale the adoption of sound software security practices.
The Three Horsemen of Software Security
We need to get the culture right with three groups of key stakeholders in the technology ecosystem – I call them “The Three Horsemen”. “The Three Horsemen” are software developers who create the code, development organizations who leverage software to create products, services or applications that solve business problems and technology users who buy and consume the end product that contains the software. These stakeholders interact closely and influence each other. Development organizations hire software developers who, in return, bring their expertise to develop software for these organizations. Technology users buy from development organizations and set market expectations. They all play a key role in advancing software security provided we focus our attention on them and work with them to help create a culture of software security. That is the only way we can create the right environment to allow software security to scale.
Let’s examine each “Horseman” below to discuss what is going right and what remains a challenge.
Leading a Horseman to Water
A vast amount of resources have been created by SAFECode and other organizations for software developers including threat modeling and third-party component management papers as well as a number of training modules.. In addition, security tools for testing or static code analysis are available as open source software or from commercial vendors. The challenge is obviously not in creating or distributing quality resources, nor does it have anything to do with technical prowess. The challenge is cultural. It reminds me of the old saying, “You can lead a horse to water but you can’t make him drink.” We need all developers, not just the most expert ones, to leverage, share and contribute to these software security resources.
Taking the Pledge
Development organizations have matured a lot in the last decade. They do understand that there is nothing like unbreakable software and that developing secure software is a holistic process and requires full organizational commitment. This holistic process for secure software development has been documented starting with Microsoft SDL and continuing with a number of SAFECode publications. We, as an industry, have made great progress but the remaining challenge will mean a cultural shift in many organizations. We need all organizations developing software, large and small, to commit – take the pledge — and treat software security in the way we treat quality by adapting or processes throughout the development lifecycle.
Not Silver Bullets. Silver Buckshot.
Technology users, the third of “The Three Horsemen,” need ways to assess the risks associated with the software they buy and use. The most mature of these users understands that there is no silver bullet solution that will turn green when the software is secure or red when it is not. Instead, the solutions tend to be “silver buckshot” or a lot of little things that, when together, add up to a viable solution to assess risk. Lately, we’ve seen new approaches to assisting customers with assessing their vendor software security practices such as FS-ISAC’s questionnaire or SAFECode’s framework for buyers to assess vendor commitment to software security. Also promising is ISO 27034, which is focused on certifying secure software development practices. These frameworks work fairly well for large buyers of software. I think this means that our next challenge here is to create simple assessment methods for the consumer market.
Let me summarize by ending where I began. To solve some of our toughest software security problems we must address the cultural aspects with software developers, development organizations and technology users Culture drives behavior in people and organizations. We need to create a culture of software security first, if we want to scale and improve the adoption of secure development practices. If you are interested in this discussion, please check out the recent keynote address I gave at the IEEE SecDev Conference in Cambridge, MA. My presentation was titled: Scaling Secure Development by Changing the Software Culture Code. It was a very well organized event with high quality participants. I will definitely return next fall.