Each day brings more reports of hacked systems. The security breaches at Target, TJ Maxx, and Heartland Payment Systems are reported to have cost well beyond $140,000,000 each. Are we near a tipping point where people stop trusting online and electronic systems and go back to buying over-the-counter with cash and personal checks? When does the financial services industry reach the breaking point and start charging excessive fees to cover their losses? Before we arrive there, IT needs to apply some tough love to software security.
Reports following the shutdown of a crime ring last summer that had stolen 130,000,000+ credit card numbers indicated that the weakness most frequently exploited to gain entry was SQL injection. SQL injection??? Haven’t we known about that weakness for two decades? How can we still be creating these types of vulnerabilities? How can we not have detected them before putting the code into production? Don’t you validate your input? Don’t you wash your hands before eating?
What do we have to do to derail this hacking express? What will it take to develop a global profession of software engineers who understand the structural elements of secure code? We need some tough love for those who continue to leave glaring holes in critical applications.
Here is a tough love recommendation. It is admittedly a bit whacky, but you’ll get the point. First, we rate each of the code-based weaknesses in the Common Weakness Enumeration (cwe.mitre.org) on a severity scale from ‘1 – very minor and difficult to exploit’, to ‘9 – you just rolled out a red carpet to the confidential data’. Next, we implement technology that continually scans code during development for security vulnerabilities. Finally, we immediately enforce the following penalties when a security-related flaw is detected during a coding session.
- Severity rating 1, 2 — “Come on dude, that’s dumb” flashes on the developer’s display
- Severity rating 3, 4 — developer placed in ‘timeout’ for 2 hours by auto-locking IDE
- Severity rating 5, 6 — developer’s name and defect published on daily bozo list
- Severity rating 7, 8 — mild electric shock administered through the developer’s keyboard
- Severity rating 9 — developer banished to database administration for 1 month
Okay, this is a bit much, but with the cost of security flaws to business running well into 9-digits, the status quo in development is no longer tolerable. Here are some reasonable steps to take on the road to tough love.
- All applications touching confidential information should be automatically scanned for security weaknesses during development, and immediate feedback provided to developers.
- Before each release into production, all application code should be scanned at the system level for security weaknesses.
- All high severity security weaknesses should be removed before the code enters production.
- All other security weaknesses should be prioritized on a maintenance or story backlog for future remediation.
- All developers should be trained in developing secure code for each of their languages and platforms.
- Developers who continue to submit components to builds that harbor security weaknesses should receive additional training and/or mentoring.
- Developers who are unable to produce secure code even after additional training and/or mentoring should be assigned to other work.
The latter recommendations may upset some developers. However, as the financial damage of security breaches escalates, the industry must take steps necessary to ensure that those entrusted to develop secure systems have the knowledge, skill, and discipline necessary to the task. Organizations must accept some responsibility for preparing developers and sustaining their skills. Academic institutions need to incorporate cyber-security as a requirement into their computer science and software engineering curricula.
The cyber-security community is supporting many important initiatives, and IT needs to take advantage of them. Good places to start include the CERT website (www.cert.org) supported by the Software Engineering Institute at Carnegie Mellon University, the SANS Institute (www.sans.org), and the Common Weakness Enumeration (cwe.mitre.org) repository supported by Mitre on behalf of the US Department of Homeland Security. Ultimately, developers must be held accountable for their capability and work results, since the risk to which they expose a business has grown unacceptably large. Tough love for tougher security.