A recent article by Maria Cosgrove in CSO asked the question “Wouldn’t it be nice if software developers had something like spellcheck, but instead of catching simple grammar mistakes, it caught basic security problems?”
Very good question, especially when you think about all the cyber security problems and attacks we’ve seen in recent months. The reality is that developers are still writing software with security vulnerabilities. As project timelines contract and more people are involved, the development cycle becomes more complex and is prone to problems. If the problems were rarely seen bugs, it would be one thing, but why are there so many basic errors inside a lot of software?
Ron Arden, Executive Vice President at Fasoo, was quoted in the article saying, “Today’s integrated development environments can already catch common syntax errors, like missing semicolons. If there’s a function you’re using, it shows the parameters, but it won’t tell you if there’s a SQL injection or cross-site scripting error.”
So back to the original question of using a tool like a spellchecker that would identify and help eliminate these problems. This would help developers fix vulnerabilities immediately and also learn to write more secure code in the process.
Traditionally companies test software for vulnerabilities after it has been written during a QA process, but that can be too late, since it introduces too many problems and delays in the development cycle. A better approach is to use application security testing during the code development process to detect security vulnerabilities using an analysis engine based on semantic and syntactic methods. This not only improves the code, but also helps meet a strict set of compliance requirements that follows CWE, OWASP, CERT and other international standards.
Cyber attacks typically target network weaknesses causing organizations to protect themselves with firewalls, intrusion prevention systems, and similar tools. These attacks target weaknesses in the software that companies develop and use. It is difficult to stop malware related attacks after software has been developed. It is better to eliminate these attacks before the software is developed by detecting all security vulnerabilities in the source code.
Another issue is the cost to fix vulnerabilities after you release software. Studies show it can cost less that $1000 to fix a bug during the coding process, but over $14,000 to fix it after it is released. This doesn’t take into account remediation needed by a customer to address any problems caused by the bugs in the first place.
Checking security vulnerabilities during development is the optimal approach and will help minimize potential problems before deployment. This will dramatically reduce the security attack surface in a production system and help us all sleep better at night.