The need for security in all things technology is well-known and paramount. That includes the demand for the highest security standards in software development as well. For companies and developers there is good news, as OWASP, NIST and the Common Weakness Enumeration standards provide just those kind of guidelines and safeguards.
Providing structure for standards and best practices is important in any industry – it is vital in software development. OWASP(Open Web Application Security Project) delivers those essential guidelines. This non-profit organization is aimed at building a non-biased and visible software security information source. Their mission statement states that their goal is, to enable and empower “individuals and organizations…to make informed decisions.”
The primary avenue for accomplishing this is through providing information that is both impartial and practical regarding AppSec. OWASP offers documentation and issues software tools to bolster security efforts. This community of professionals having the same mindset remains vendor neutral and security focused.
This branch of the government has seen it all, founded in 1901 and today the NIST (National Institute of Standards and Technology) patrols the standards that impact software development. There is a great deal of software out there, produced by many developers and companies. This equates to the need for a common language and definition structure. Much like doctors and lawyers have a verbiage unique to their fields, so do people like software developers and coders. The NIST has been establishing language and definition frameworks for a long time, today that applies to technology too.
Maintaining and establishing security protocols such as the AES (Advanced Encryption Standard) is only an example of the commitment to security shown by the NIST. Software itself and the lives of developers would be far different today without the structure and security afforded by the NIST.
Common Weakness Enumeration
CWE (Common Weakness Enumeration) is a little like America’s Most Wanted, only these threats are about securityweaknesses. Much like the NIST acts to define a common language among the landscape of security, CWE defines a common language in defining the threats. The CWE is a list of common security flaws in software, what makes this list so unique is that it is compiled through a community of professionals.
This list can act as a gauge for software security tools or even as a type of litmus test. It is also used as a baseline to identify, mitigate and prevent software weaknesses. Staying ahead of threats, eliminating weaknesses and identifying these issues ahead of time is of the essence. Once software has been compromised, it is too late. Catching a breach after it happens, is too late. Security standards are necessary for just those reasons, to stop the attack before it happens.
Security and the SDLC
The SDLC (Software Development Life Cycle) can have security measures integrated into it throughout the process. OWASP has developed SAMM (Software Assurance Maturity Model) to assist with such security measures. SAMM is designed to bring security considerations into every step of the software development process, from early stage assessments to final implementation. If you find yourself wondering if the need for such in-depth security measures and strict standards are necessary, consider this…
“…63 percent of internally developed applications are out of compliance with OWASP Top 10 standards when initially assessed for security.”
That translates into a potentially great number of vulnerabilities for many different software packages and programs.
This is no small issue and the consequences of not have software assurances can be damming. The reputations and possible livelihoods of businesses, developers, consumers and many others can be hurt as a result of vulnerable software. It is one of the primary reasons why companies value and seek software providers that afford them assurance. The highly respected CWE certification, for example, is one such assurance that businesses seriously weigh.
With the sheer size of the internet, the impact of mobile services and vast amount of software being produced, the need to maintain the highest security standards has never been higher. That also means the ramifications of failing in this arena have never been greater too.
New Security Challenges
The Cloud has introduced another new set of challenges and raised the stakes for security standards in software development. Public enemy number one is the speed of deployment now capable in the PaaS environment. This hosted environment offers a cloud-provided application development platform, meaning faster development and faster deployment. The result is less time to test, safeguard and provide sufficient software assurance.
Working in a hosted environment can also come with its own set of challenges and security concerns. In theory, according to one article, “…the vendor handles the platforms while you handle the programming.” Of course, that requires some level of trust and a heavy reliance on security standards.
A Strong Foundation
Despite those daunting numbers reporting so many out of compliance applications, there are a large number of amazing and safe applications still being developed. That is in large part, due to those three pillars of security standards – OWASP, CWE and the NIST. Using and integrating the resources provided through these organizations is a step toward smart, safer and responsible software development.
The desire to get the next best piece of software out there, or quickly develop the application that permanently solves your company’s most costly issue can be tempting. Add to that temptation, the ability to develop and deploy faster than ever and we may see even more poorly developed and vulnerable software being released.
Good software is safe software and that begins with security standards.