A survey of participants to the 2005 Secure Software Forum — an industry forum promoting software quality assurance — observes that, while companies recognize the need for secure software and have begun developing secure coding policies, 70 per cent still have not integrated security assurance program into their development process.
Most large software vendors have implemented programs for secure code development, says Howard Schmidt, CEO, R&H Security Consulting in Issaquah, Wash.
For instance, Oracle Corp., criticized in the past for security vulnerabilities in some of its software, recently deployed Fortify Software’s source code analysis tools to test its code base of 30 million lines.
Fortify’s tools use a set of rules that can flag vulnerabilities in more than 60 categories, including SQL injection, buffer overflow and format string errors.
Fortify says its source code analysis tool has a high “signal-to-noise” ratio when analyzing large, complex commercial applications and lets users set thresholds to “tune” the analysis to desired sensitivity level. It helps users prioritize vulnerabilities according to importance without losing track of less important flaws that can be addressed later, writes IDC Corp.’s Melissa Webster in a research document entitled, Managing Software Security Risk.
High profile software companies are also placing less importance on meeting delivery deadlines and more on writing secure applications, says Schmidt. He adds that most of the software companies writing secure code don’t get due credit for the effort.
Microsoft’s long-awaited Windows Vista, the company’s next-generation operating system due to be released later this year, may be a case in point. Vista’s initial expected release was to be in 2003, but the unveiling has continually been pushed back.
Microsoft Canada president Phil Sorgen tells ComputerWorld Canada that his company has deliberately not set specific release date in an effort to ensure that the product release is not hurried by a date commitment.
Through an effort called “trustworthy computing initiative,” Microsoft applies a security development lifecycle process in product development, says Microsoft’s chief privacy strategist Peter Cullen.
The security development lifecycle process came as a result of work done by 8,500 Microsoft developers some four years ago, tasked to dismantle every line of code on Windows Server 2000 and fix vulnerabilities that were found, Cullen says.
“From that we learned very clearly that there were certain things that can happen in developing code, particularly on something as complex as an operating system,” he says.
Windows Vista is going through that same security development lifecycle and part of the process is technical community testing and feedback through the Windows Vista Community Technology Preview.
Ahead of its predecessor Windows XP, Vista has new built-in security features such as user account control, automatic security updates and Windows Defender that protects against spyware and potentially unwanted programs.