RSA: The Case For Code Testing

Holding court at the RSA Conference in San Francisco, cybersecurity veteran Howard Schmidt summed up the major security problem today: "The business applications you need to run your business are the applications that make you more vulnerable."

That's a problem worth considering, now that cybercriminals are focusing on application-layer vulnerabilities. It turns out that since Microsoft made security a priority six years ago, a move echoed by other vendors, operating system and network-layer vulnerabilities have become harder to find. There are still holes, to be sure, but they're so much more plentiful in the application layer these days, particularly in Web 2.0 apps.

Errors that can be exploited can appear in any kind of code, but Web 2.0 applications, which more and more companies are coming to depend upon, may be particularly vulnerable if not coded with security in mind. Many Web applications make use of JavaScript, for example, which really wasn't designed with security foremost.

A recently released report, "Why application security is crucial," from U.K.-based research firm Quocirca, explains: "One of the key security problems with using JavaScript is that it can be manipulated by attackers in order to gain access to the information being transported."

Another problem, the report says, is that Web 2.0, or Ajax, applications tend to rely on a large number of modules and higher-level interaction than traditional programming languages, which adds complexity and increases the possibility of programming errors. "The large number of small modules also makes Ajax more vulnerable to attack as it increases the overall attack surface, with each request for information and response representing a potential attack vector," the report says.

The research firm conducted a study in December of 250 senior IT executives in Germany, the United Kingdom, and the United States. It found that among respondents developing Web 2.0 applications, "a significant number are reporting that they are encountering vulnerabilities that are specific to new programming languages and this can actually increase the overall number of vulnerabilities to which the organization is exposed."

Schmidt, president and CEO of R&H Security Consulting and a former cybersecurity adviser at the White House, eBay, the FBI, and Microsoft, likes to tell an anecdote to illustrate what he believes needs to happen. He points out that he can buy a sports jacket with a tag that says, "Inspected by No. 16," but he can't get code with a similar certification.

As it happens, Schmidt serves on the board of Fortify, a software company that sells tools for finding software vulnerabilities in computer source code. Partisan though he may be, he makes a good case for why automated code testing helps keep organizations secure. It's an argument the government appears to have bought: Schmidt pointed out that federal agencies are starting to demand code analysis. "I wouldn't be surprised to see independent labs in the future validating code," he said.

The Quocirca study, commissioned by Fortify, indicates that using automated security tools when developing software lowers the overall cost of IT security. "Over 10% of U.K. respondents spend more than 15% of their IT budget on security -- but are the least likely to use automated tools for application security," the report says. "Conversely, 96% of German organizations spend less than 10% of their IT budgets on security and make the most use of automated tools for building security into applications during the early stages of the software development life cycle."

Asked to characterize the overall state of cybersecurity, Schmidt is surprisingly optimistic. "We know now what to do and how to do it," he said. "We just have to get it done."