The U.S. Department of Homeland Security (DHS) states that 90% of security incidents result from exploits against defects in software.
"The SANS Institute 2015 State of Application Security Report" states that many information security engineers don't understand software development-and most software developers don't understand security." Frank Zinghini knows a thing or two about both topics. He is founder and CEO at Applied Visions, a 40-person secure software development firm headquartered on Long Island, N.Y., with another office in Clifton Park, N.Y. Zinghini has been writing code, managing software engineers, and building security products for more than two decades. He shed more light on how to bridge application development and security in a recent interview.
How long has security been a problem - as it relates to software development?
Zinghini: Insecure code has always been there, but it became a significant problem on the very first day we connected our computers to the Internet. In pre-connected days there were isolated incidences of people taking advantage of software flaws in order to break into computer systems or disable devices, but that required the attacker to have direct access to the system. Once we hooked everything together, we invited the entire world to attack our systems -- and on that day, we developers took on the responsibility for making sure that those attacks would fail.
Is all software code then at risk?
Zinghini: Knee-jerk reactions are counter-productive: the fact that some software are at risk does not imply that all software is at risk. Developers need to become adept at threat modeling: learning to think like an attacker so you can understand which parts of your system are truly vulnerable, and focus your attention on securing that code. While it is admirable, and desirable, to adopt the philosophy that any new code you develop should be secure code, in real life we are faced with the need to prioritize our efforts.
What are the biggest (security) mistakes made by software developers?
Zinghini: The biggest mistake that developers make, every day, is to say "We'll worry about security later, after we make our deadline." If you don't build security into your day-to-day development process, you will find yourself doing 10 times the work trying to "harden things up" after the fact. And the sad truth is, you probably won't do that, because once you make this deadline you'll likely already be behind schedule on the next deadline, so you'll never actually get back to dealing with security issues. Deferred security is no security.
"The best thing to do is accept that security is just as critical to building software as safety is to building airplanes."
Sign up for Computerworld eNewsletters.