What’s Wrong With Secure Software Development?

The short answer is: “Resources”. Marisa Fagan, an analyst at Errata Security, notes that formal secure software development programs are often too much for development teams to handle. “These programs have the [not entirely unwarranted] reputation of consuming large amounts of time, people, and money. We need programs that cut out all the fat. The secure coding program needs to fit the size and capabilities of the organization. If we ask too much from the average developer, we’re going to get nothing at all.”

Despite a wealth of security knowledge and developers’ access to advanced tools, many software security risks remain. Analysts say that vulnerabilities arise because many software developers do not understand how to build security into their code. “There’s a lot more acceptance of security as part of the process now, but historically developers have never been responsible for security,” says Fortify chief scientist Brian Chess. Although there have been several initiatives aimed at educating developers about secure software development practices, “the talent coming out of schools right now doesn’t have the security knowledge it needs,” says SAFECode executive director Paul Kurtz. Some organizations are implementing secure development frameworks, such as the Building Security In Maturity Model (BSIMM), which impose secure best practices throughout the entire development team. “BSIMM is a good strategy if you have a formalized software development process,” Chess says. The goal of the frameworks is to help developers identify and remediate the most common coding errors and fix them during development, rather than waiting until after the code is complete.

Read more in article “Why Can’t Johnny Develop Secure Software?” at Security Dark Reading.