I have had a significant problem with the dash to the cloud ever since it became fashionable to devolve all responsibility to this amorphous lump, based on the notion that it would somehow magically solve all of our computer issues and costs.
Fuelled by a perfect storm of available technology and massive fiscal pressures, cloud based solutions have sucked in the unwary and spat them out alongside their disgruntled customers and suppliers. Unfortunately I felt as if I was pointing out that the emperor’s new clothes were somehow missing as everyone else appeared to “get the cloud” and I was a lone voice in the wilderness.
Well, now I am glad to say that I have finally found a solution that leverages the huge benefits of cloud based computing whilst at the same time delivering more secure applications.
Having run a software development business for many years I am only too aware of the pressure on development teams to quickly produce features and fancy screens for the client. It can be tough to convince clients to spend money on producing secure code, even more so if you need to bring in external expertise to review developer’s code for security flaws.
These flaws can be significant.
For example, if an application is made to mismanage the way it handles computer memory the resultant confusion can end up opening security backdoors for hackers to exploit. In another case, applications that rely on databases can be fooled into releasing their innermost configuration details to hackers who bypass security systems by typing technical commands into a website login page.
So why is application code security now so important? In short because, as attacks on Google and financial companies have shown, the so-called “threat landscape” has never been more threatening. Software applications are what stand between those attackers and vital information and business processes. The way applications are now developed and the traditional means by which developers are asked to test them for security errors make the job of securing software even harder.
Outsourced software code development is all the rage, as developing countries have increased their programming skills to the point at which it is often cheaper to get an application written overseas than it is in the UK. Whilst this may make the accountants smile this commoditisation of software development makes it easier for hackers to plant malware in code that has not undergone security verification than bother with infecting systems with viruses.
How many clients undertake a thorough due diligence of their software supplier? How many will actually visit a development team and find out how they really work? Very few if this development is off-shored thousands of miles away. Even those that do can’t be certain that what they see is what they get because by the time that final product is delivered a lot could have changed in the constitution of the application code.
Software these days is no longer monolithic lines of code boxed up in one single executable file. Instead, software comprises thousands of objects and lumps of code all brought together to make a final working solution. Many of these components are brought in from third parties and may be used across multiple solutions, with the ability to cause mayhem if they contain security flaws.
Ideally, in both these cases the software code should be examined by a group of experts looking for flaws and errors that could produce security issues. The reality is that this is too time consuming and expensive. Many pieces of code from third parties aren’t even supplied with the source codeyou simply get the computer software equivalent of a black box and are told to get on with it.
The good news is that there is now an alternative to manual security code reviews, and that is the use of automated scanning tools. I produced a market update that introduced this area in October 2008. Since then the sector has undergone some interesting changes, especially when it comes to the delivery of a secure code checking service.
Of course we are seeing security flaws multiply each day as new and innovative ways emerge for the bad people to plant malware or abuse software code. This constant evolution of new threats, coupled with a need to bring together a way to learn about new flaws lends itself really well to a hosted solution in my much maligned cloud.
Veracode has been in the business of application security risk since 2006 and have recently announced the integration of their cloud based binary scanning service with on-premise Software Development Lifecycle (SDLC) tools. Developers log into a secure website and upload their binary files, byte code PHP or ColdFusion files into the Veracode scanning service. The code being submitted is not source codeit is the same file that would be sent to a customer buying the software. Source code is never sent across the web as it is not needed by the Veracode system, a real positive for those worried about losing control over their intellectual property.
The Veracode engine processes the submitted file looking for a range of security flaws. This security checking is informed by a huge amount of backend data gleaned from a number of sources and includes all of the latest threats that software code faces. Based on a 24 hour service level agreement a report is created that details any and every security flaw that has been found in the code.
The interface resembles a report card and the development team can proudly display their compliance with secure coding practices or know what they need to do to get there in the most efficient manner. These results are derived from base data that assigns a severity rating between 1 and 5 to each flaw, corresponding to the impact of the error and its applicability to a particular type of application. For example if you were submitting code for an online banking application you will receive a different level of impact analysis compared to a simple intranet solution. Customers can tune their own security policies and acceptability thresholds based on internal requirements.
For an application to achieve “VerAfied” status it must meet a set criteria that is standardised across all applications. A VerAfied High Assurance status offers complete OWASP Top 10 and CWE/SANS 25 certification but the code needs to be further checked manually which attracts an additional charge.
The cost of unlimited access to this code scanning system is around $5,000 per application per year, which apparently reduces dramatically based on volume with attractive unlimited application packages for companies wishing to standardise on their security platform for internal, third-party or mobile applications.
Clients also have access to a neat system called “SecurityInsights” that enables them to compare their performance with that of their peers. Using the anonymous data collected by the backend, a business intelligence interface can be used to search for other clients in a specific sector with similar applications to see how levels of code security compare. All client information is kept annonymised and comparisons are made against aggregated statistics.
The next step is full integration with the IDE (integrated development environment) such as Eclipse, as well as bug tracking and build management systems so developers don’t need to leave the tools they use every day. This is available now, via a set of APIs, but later this year expect to see the code scanning results and workflow incorporated into the IDE properly. This will enable a developer to receive very specific feedback as to the nature of the security flaw, highlighted against the specific line of code in the IDE, making the debug process a whole lot easier.
It’s only by using a cloud based solution that such a critical mass of useful security data, used to check code files, can be accrued. This is a far more effective way of ensuring secure code than each development team using their own on-premise solution in isolation. This inherent learning and sharing of knowledge is a massive benefit of a cloud based solution.
In lots of respects the people at Veracode may be responsible for changing the way in which we manage application security. The perfect storm of available technology, lower cost and a demand for increased application security might just be what we have been waiting for. In this case the cloud is the future.