DHS’ Software Assurance Efforts Can Help You
I recently attended the March 2009 Software Assurance (SwA) Forum sponsored by the Department of Homeland Security (DHS) and have come away more confident than ever that we can greatly improve the state of application security. Most of the topics covered are not new, of course. Security wonks have always promoted integrating security through all the steps of the development process. What’s so encouraging is seeing the sincere effort being put into promoting these practices and baking them in to standard efforts that will benefit everyone.
I highly encourage anyone responsible for security in the software lifecycle to keep an eye on the DHS “Build Security In” efforts. The Build Security In web site provides a ton of very informative and useful resources around best practices, security knowledge, and tools. Yes, the project and participants are still slanted towards those working on federal projects, but the lessons are extremely applicable to anyone in any industry.
The SwA forum is an extension of this program. It is a 3-day event held twice a year, and although it’s free (amazing, no?), it is as informative as any paid conference I’ve been to. What I found particularly encouraging were the “lessons learned” from organizations that are putting all the right pieces into action. Yes, some were quite boring, but others were revealing, especially those from smaller organizations.
Ajoy Kumar, Vice President, Depository Trust and Clearing Corporation (DTCC), for example, explained how they’ve been very successful in taking a somewhat hard-core approach with their developers, requiring increasingly tighter security requirements and metrics before code is accepted for deployment. And, although, all the security software, processes, and training cost them a bit up-front the first year, after four years all the up-front costs have been paid off in savings and they’re now saving millions more each year.
Carole Dicker, Director of Security and Facility, Compusearch Software Systems, Inc, reported similarly encouraging results and cost savings, although they have taken a more “developer-friendly” approach more focused on training and less on punishing for defects. Others relayed how they have had success teaching their developers to think like hackers, while some find that hasn’t really worked for them.
This isn’t to say that any one practice is better than the other. Quite the contrary – different methods may work better for different organizations. Clear Skies sees this all the time performing assessments and providing training, which is why we tailor our work as much as possible to each client. The important key is that regardless of the exact methods, you’re at least doing something at key points throughout the development process. Efforts like those of DHS make it much easier to make that happen.
