A group of software security experts has issued guidelines designed to reduce the number of exploitable vulnerabilities ending up in production code.
The latest paper from the Software Assurance Forum for Excellence in Code (SAFECode) outlines practical software tips on ways developers can build in security during the development cycle. The “Practical Security Stories and Security Tasks for Agile Development Environments” report outlines 36 steps coders can incorporate into the Agile software development process.
Agile is a framework in which teams work on incremental updates within a short development window. The team develops the first iteration of the code and then refines the product based on new requirements and feedback. The aim is to build something, even if it isn’t complete or perfect, and then improve it in manageable chunks.
The paper “is a step forward for helping developers understand how to make security a part of Agile development processes,” Andy Chou, CTO of Coverity, told SecurityWeek.
Developers are encouraged to think about specific security tasks when planning out their development goals for the sprint, or development cycle. Agile organizes development into sprints, which are generally two to four weeks long, and developers plan beforehand what they plan to accomplish during that period. The goals are written down as “stories” and are very specific.
An example story in the SAFECode paper reads: “As a(n) architect/developer, I want to ensure AND as [quality assurance], I want to verify that cross-site scripting attacks are prevented.”
Developers have to think about the tasks that need to be completed and by whom in order to accomplish this goal. One such task for the above example may be “[D/T] When generating dynamic web pages, filter the input for any browser-executable content that is not intended (for example, from user-originated fields in a database). Consider all forms of input of content that might eventually be presented to and consumed by a browser, like events generated outside the system, log messages, arguments in a URL, form field values, etc. Perform this filtering at server-side, close to use.”
Several of the stories mention looking for defects using a layered approach that incorporates self-education, use of static analysis tools, and fuzz testing, Chou said. This in-depth approach can help developers learn from the defects in their code as the code is being written, which can be a very effective way for them to internalize how to write secure code, Chou said.
While the stories are a “step forward,” there is room for improvement, as many of them “still lack the clarity and detail that developers need to do an outstanding job auditing and fixing their own code,” Chou said.
There is a “natural tension” between “the dynamic nature of Agile development” and the more “formalized approach” favored in secure software development, said Vishal Asthana, a lead author of the paper and senior principle software engineer at Symantec’s product security group.
Developers can manage that tension by defining security-focused stories with associated security tasks, operational security tasks, or other tasks that require support from security professional, Asthana said. “Secure software development practices gets a bad reputation for not being suitable” for Agile, Reeny Sondhi, director of product security assurance in EMC’s product security office, told SecurityWeek.
The SAFECODE paper includes experiences of actual member companies combining security software development strategies with the principles of Agile development. The guidelines should be a “valuable resource for organizations to incorporate security or enhance existing security tasks in their development process irrespective of the type of software development methodology they practice,” Reeny said.
SAFECode is an industry consortium dedicated to assuring the security of software. Adobe, EMC, Juniper Networks, Microsoft, Nokia, SAP, Siemens and Symantec are members.
The full 34-page paper from SAFECode is available here.