Code development should have security built in from the start to avoid headaches further along the line, and tools and processes exist to make this possible.
Speaking at the Checkmarx “Shift Left” conference in central London, security researcher Troy Hunt said that it is hard to put numbers on security of code, and it is hard to look at code once it is written and determine if it is good or bad, but if it is bad, it “will cost so much to manage in future.”
Speaking on 'Software Security and Early Prevention of Vulnerable Code', Hunt said that it is educational to go through people’s software and at a late stage, you can “find entertaining vulnerabilities at this stage”.
He said: “It is insightful as often it is the expectation that no one does bad stuff to your software, and ‘no matter what, people screw it up for us’. If we think we use software used in the way it is designed and intended to be used, we are going to have a problem.”
Hunt created the character ‘Vlad’ who delivers the bad news about code flaws, and said that often bad news is delivered at the end of the process during testing, and often “security folks are sick of folks screwing it up.
“We have got to be better with the ‘standoffishness’ between developers and security people; we are all trying to achieve the same thing, and it is a bit of a problem,” he said.
“Businesses doesn’t understand the nuances of security and want the website to be live, but we know there are vulnerabilities and things may be exploited, so somewhere there has to be compromise, as we know there are risks and can fix them.”
Hunt acknowledged that it is easy to write bad code, and the end of the process is a “bad time to do security”, so he argued we need to move it to the start as that is where we should think about it and this should be an embedded concept.
“If we fix bugs earlier it will cost significantly less,” he said. Asked how that can be achieved, Hunt stressed the need for training, using static code analysis and via continuous integration. He also said that dynamic analysis is important, as nothing in isolation is better than another and all facets can work together.
“Dynamic analysis after release will find other interesting things; penetration testing is also very valuable and I am amazed at what good pentesters can do, as smart people do great things with complex software and you don’t want the Vlads of this world to do static analysis to find SQL flaws.”