Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why don't developers have a 'spellchecker' for security'?

Maria Korolov | Nov. 1, 2016
Wouldn't it be nice if software developers had something like spellcheck, but instead of catching simple grammar mistakes, it caught basic security problems?

Enterprises aren't just looking at their internal development processes, but are also starting to ask their software vendors to improve their security.

"It's happening more and more because the supply chain is responsible for security incidents and breaches," said Cahill. "And one of the things they ask is, do you do software scanning and security analysis?"

The tools are also getting better, he said, with a number of vendors offering software scanning and orchestration tools so that companies can integrate the security checks earlier into the development process.

"But it should be contextual," he added. "If you just get 'you made a coding mistake,' that's not especially helpful. But if you get an advisory that because of the way you structured your code, it could be exploited by a SQL injection, and here are some ways to adjust your code ... we can improve our security posture."

It's important to avoid alert fatigue, he added, or having a "Clippy" of security -- annoying and unhelpful.

"These types of alerts need to be prescriptive, consultative, and actionable," said Cahill.

Citigal, an application security vendor, first looked at doing a security "spellchecker" back in 1999, but creating another "Clippy" was a serious concern.

"Clippy was universally hated," said John Steven, Internal CTO at Cigital. "It was hated because it was in your face, you were typing and it distracted you, and its advice was always daft. It was telling you the wrong thing all the time."

It would have been too easy to do the same for application security.

For example, he said, take cross-site scripting.

"Every line of code you're writing could potentially be vulnerable to cross-side scripting," he said.

But developers are now more willing to consider tools that help them write code, he said. Plus, the new early-state software security tools are not being used to find all possible vulnerabilities, but are used as training tools, instead.

Say, for example, a developer is considering linking to an insecure open source library. Cigital offers a tool that can catch that problem right away, suggest a better library, and even automatically convert existing code.

"We want to find the choke points to help them make a good decision," he said, "And cut out whole swathes of later opportunities to create problems."

In fact, the security education aspect is one of the top benefits of early-stage application testing.

According to a Sans report released earlier this year, the lack of application security skills is the top challenge when it comes to improving software security, ahead of funding and management buy-in.

Built-in security education

Checkmarx is one of several vendors looking to address that very issue.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.