How we really integrate security into the SDLC? What are some of the best practices around secure software?
In this episode of TechStrong TV, Jill Britton, director of compliance, and Stuart Foster, product manager at Perforce, joined us to discuss how to improve application security by making security a fundamental component of the software creation process.
The video is immediately below, followed by the transcript of the conversation. Enjoy!
Mitch Ashley: I have the pleasure of being joined buy a couple of folks that I’ve talked with before on a webinar and a few other videos. Jill Britton and Stuart Foster from Perforce. Welcome to you both.
Stuart Foster: Thanks for having us, Mitch.
Jill Britton: Thanks.
Ashley: Let’s start off with some introductions. Since you’re ahead in the time zone here, Jill, how about you go first?
Britton: Okay, thanks. I’m Jill Britton. I’m the director of compliance for static analysis tools here at Perforce. I look after areas regarding coding standards, functional safety standards, security standards, anything in that area.
Ashley: Excellent. Stuart, you want to introduce yourself? Tell us about Perforce, too.
Foster: Sure, yeah. I’m Stuart Foster. I’m a product manager for our static analysis products, both Klocwork and Helix QAC. And a little bit about Perforce, we help with enterprise development and DevOps at scale. We have a lot of various tools that help accelerate development projects in terms of your planning. So we have project and portfolio management tools, requirements management tools. We have things that help in the create area of the DevOps infinity circle for issue management version, asset management, code review. We have static analysis. We have various functional test case management and things like that that also fit in the verify. And we have a lot of tools that are here to drive your product at a high quality to market.
Ashley: Excellent. Excellent. Well, very timely conversation at least here in the U.S. with security of software, in this case distribution with the SolarWinds situation. We’re not going to be talking about that, but strongly the topic of secure applications is right in there, right at the top of the list. Let’s first start, I know we’re going to get into some coding standards and some things like that to equip people with some things that they can use. Maybe we first start with DevOps is more than just – and shift-left is more than just, okay, let’s start having meetings or talk on Slack with the security people and then suddenly we’ve shifted left. You know, there’s a lot more to how we really integrate security into the process of creating software. Maybe, Stuart, if you want to start sharing some of your thoughts about that and of course, Jill, get your perspective as well.
Foster: Sure, yeah. I mean you think about DevOps, you think about agile development and it’s the ownership of code; but outside of simply delivering functional requirements for your products, your applications, you know, a lot of teams are just thinking about security. So there’s a necessary to build that in directly. And what that leads you in to is selecting tools, selecting processes to ensure that you’re kind of baking in the security into your pipelines and making it automatic. That starts with thinking about coding standards and things like that. So there’s plenty of secure coding standards that you can focus down on. I think Jill has a couple of words for that.
Ashley: I’m sure you do. Go ahead, Jill.
Britton: Oh, I have many, many words on that. The important thing is that you pick the standard that you are going to be comfortable with, that you are going to be able to apply. If you’re supplying a product to a supplier, you will probably be told which ones to use. But you’ve got I think that cert – oh, where, it’s from Carnegie Mellon University. They’ve been looking at security for many years now and it builds up and it also takes experience from both academia, tools, developers, actually anybody who wishes to contribute and then of course it is looked at all the contributions. So this good security standard because it is there.
But connected to that you’ve got the Common Weakness Enumeration so administered MITRE, and that is actually just a collection of vulnerabilities that have been seen and proved in the field. So you’ve got this whole wealth of experience and you want to avoid doing what the problems other people have seen. That’s where these kind of standards come in. CWE I would argue isn’t a coding standard. It’s more a measure. You know, have I seen this problem? Have I got this problem? And there’s another related set of numbers, let’s put it that, which is common vulnerabilities and that’s even further down the line. Before you even get to see weaknesses, there are vulnerabilities and you just have to use this information in your own developments. Don’t do what somebody else has already done is kind of the way to look at it in security in particularly.
Ashley: It isn’t like we don’t know how to create secure software. We do but we kind of do the same thing over and over, the same mistakes, right?
Britton: That’s right.
Ashley: Sometimes just out of not knowing and sometimes just human error. Sorry, Stuart, you were going to jump in there too.
Foster: I was going to say, so effectively one of those, CWE is effectively describing issues that are not necessarily related directly to a language; and the other ones are specific rules that you follow to ensure that you don’t run in to these types of vulnerabilities or weaknesses, right?
Britton: That’s right. That’s it.
Ashley: Yeah, there are specific things that are in Java, PHP, you know specific languages that are very well used, very popular of course. Go ahead, Jill.
Britton: No, the thing is when you look at the CWEs, they are categorized to languages or to systems or just to general sort of areas; but there are then what they call the lists. So you’ve got a list for C and a list for C++ and there’s a list for Java. Then you also have a top 25. Now a top 25 may or may not apply to your own product, but it’s always worth having a look. If those ones don’t apply, there’s another sort of secondary list. It’s emerging, and you could look there. There’s always something to check against for any sort of software.
Ashley: Are most of the things on that list you find have been there for a while? SQL injection, buffer overflows, things like that? Or do they tend to be newer things? Are we seeing the same things over or would we find a lot of new things?
Britton: It’s a variety. You do see the same ones over and over again. There are some weaknesses that were on the 2011 list and are still in the 2020, but there are new vulnerabilities as new types of development come in and you get more skilled hackers really. You’ve always got to consider that the hacker is always one step ahead.
Foster: And you kind of see that these standards or these top 25 lists, they change after every couple of years and they spend their time kind of reviewing the vulnerabilities that have been found in opensource projects and other places and kind of give them a weighting. So while you may see the top 25 have a pretty similar overlap between multiple years, their rankings change. So it kind of shows to you that in general software is becoming more secure but not as secure in these new areas. So you see some vulnerabilities lower and the new ones come up at a higher rate. I think it also depends on where software development is currently is in terms of market. What’s the new hotness? Is it Internet of Things connected to software? Is there a new language coming out that has never been attacked? So you see the priorities change on these top 25 lists.
Ashley: Let’s step back for a moment. How would a development team or developer – I assume most folks are probably familiar with at least CBEs or some things like that, but maybe they haven’t dived into the top 25 for CWEs. What’s the best way to do that? Is it just go out and read about them, educate yourself? Do people, do development teams like, okay, I’m gonna dive into this and research a little bit more and I’ll share with you or how do people apply this to their teams?
Britton: Well, there’s several ways they apply it. Sometimes they just hear about it, something like we’re doing talking today; and they go, oh, is this going to be relevant to me. And look, it’s a few things. As I said, sometimes a supplier specifies the angles to have proof that you’ve checked against this. And of course the static analysis tool, we can map checkers and messages against these vulnerabilities and these weaknesses so that we can show your code is exhibiting these features. But it’s really important to know what you’re going to be looking for and then do something about it as the static analysis tools can show you, yes, you’ve got this vulnerability but really it’s not off point just leaving there. You must do something about it.
Ashley: You know, it’s interesting. So many, not everyone of course, so many of the vulnerabilities are about input, right, to a user interface of some type, web, OS command, mobile device. It’s a lot about neutralizing, dealing with the input that you’ve received, making sure that they’re not injecting something that they shouldn’t, getting access to a directory, all kinds of things like that. So it’s things that apply across multiple technology stacks and multiple applications. So generally speaking it’s not like this is a skill you’re going to use on one app and then you have to relearn it for the next app. You carry that stuff with you. It’s part of your skillset you build as a software engineer.
Britton: Yeah, it’s education, isn’t it? You know, it’s just everybody gets more and more experience of this type of issue. It’s not that long ago that security wasn’t at the heart, but now it is.
Foster: And if you think about it, you know there’s kind of different levels of maturity in terms of security, right? You start developing because you know you have some types of vulnerabilities and you start working towards that. But if you think more longer term about your projects and how they might be very important IP or pieces of software that are embedded over time, it becomes more important to think about security because, you know, being able to fix some issues that you know about versus following a secure coding standard to ensure that the reliability, the strength and hardening of your software to begin with means that years down the line when somebody has integrated your piece of software into some type of embedded system that can never be touched, then you’re lowering the risk of there being vulnerabilities permanently out in the market for a very, very long time. So that becomes kind of the second level maturity when you’re developing and thinking about developing more secure software.
Ashley: Now you mentioned, I forgot which one of you mentioned something about you might encounter something under a contract with the customer that requires specific security standards. One example I know that you all deal with quite a bit is ISO 26262 for automotive industry. Here you’re dealing with safety of course as well as security. Talk a little bit about how something – do the industry-specific standards really kind of go off the reservation to do something really different or are they building on what we do generally in software and then applying it to their specific domain?
Britton: We could take ISO 26262 which is for vehicles. It’s very much good practice. It’s nothing totally off the scale. They recommend for software the use of a coding standard. You are allowed to use any coding standard you like, but then there are specific categories of software violations that you need to be able to detect so whatever you do. MISRA is sort of the classic for 26262 because it was developed for vehicles. But you have other industries with very, very similar requirements from software and now we’re moving into the scale of security. Back to vehicles again, it’s ISO 21434 which isn’t out yet; but that also requires the use of a coding standard and the violations they’re looking for are still very, very similar. It’s the same type of things. Quality software is what we’re always looking for.
Foster: Because as I kind of mentioned a minute ago, you think about a car, that’s a big rolling embedded system that’s more or less permanent once it’s complete and it’s really hard to fix later. So you can understand how security as an oops, we’ll go back and fix it versus security as a process becomes more important. That’s exactly why ISO 21434 is becoming a thing or will becomes a thing once it’s releases. But we already have customers in industries looking at it and following along and understanding what that impact is going to be because to connect the cars was a big rolling computer.
Ashley: You know, this is a little bit kind of parallel to just creating software but not too long ago I went through a web trust audit and very much like a standard like you’re describing it is do you have a process, do you have something that you follow, should follow, and do you follow it and do you have evidence of that. So many of the standards are just the technical details of what you should do to write pure code. It’s do you have the processes around that and are you following those and in some cases you do an audit. Necessary if you want a WebTrust, for example, certification or others. So it’s not just writing secure code, it’s if you say you’re going to do it, then you have to do it and demonstrate that you’re doing it and have some form. So what I’m saying is it’s really an investment that you’re making by writing secure code following some of these standards, but then that’s going to help you down the road meet other requirements.
Foster: Yeah, it makes it easier when you’re trying to implement say ISO 27001 which is information management security management requirement compliance thing. And there’s controls in there and what you’re talking about per the audit is putting in controls for your business and there are various areas in those controls that in many ways relate to the software that’s developed within the company. So yeah, by following some of these security standards you’re in essence helping with those controls later when/if you go and certify your company as that type of ISO requirement.
Ashley: You know, Jill, I know you deal a lot with governance and some compliance and things like that. What are some of the best practices around secure software? We’ve touched on quite a few already but are there some other thoughts on other best practices to help people move up that maturity scale?
Britton: Well, it’s a very basic part of any process really. Choose your metrics. How are you going to actually measure and see how you are progressing through your process? And similarly to software weaknesses, when you get your metrics, what are you going to do with them? There’s no point in collecting a whole collection of them and saying, yep, we’ve got our metrics. What does it mean? Does it mean that we have got 27 security violations last week? Oh, great, we’ve got a number. But what are we going to do about those 27 or so security violations? Again, it’s back to process. What is your process? What is an acceptable level of these metrics? And you can have metrics working all the way through the cycle right from requirements to development and test. You can actually have measures of how you are progressing through your cycle.
Foster: And also what you find when you look at a lot of these security standards and their vulnerabilities, they have kind of the impact likelihood, cost to remediate, potential issue or risks that you see in the market when one goes out. So alongside that, a lot of the standards as well have kind of a risk scale or a prioritization that helps you – gives you an idea of where to start. And then in terms of the process, it’s not always a matter of running a tool or trying to follow these standards and trying to fix all the bugs. It’s important to start somewhere. What we typically call it is baselining where you kind of know your current quality of your software as it is right now, and the point is to start following a security standard and stopping new vulnerabilities from being introduced, and then you can go back and start working on the prioritization of what to fix to start cleaning up. Right?
And also when you look at it and it seems insurmountable, you might want to spend some time looking at your past kind of customer weaknesses that were found or bugs that were found and kind of understanding in addition to what the standard is important, looking at what types of vulnerabilities you’ve produced or have reported back and focus there. That’s a good start, you know? You know kind of what your developers’ training weaknesses are and then you can implement kind of teaching, learning, training processes as well to help getting your development team more comfortable, more experienced in dealing with these types of issues.
Ashley: Sometimes also building on what you said, it can help bring to light other issues along the process like, for example, we keep getting libraries introduced into code that we don’t realize are there and they show up as a security vulnerability. Okay, well, let’s go fix that part of the process too so we know that those things are there and when updates happen they go through some defined process. Another one might be it’s not just new things we find but also repeats, things we consistently find, occasionally over and over whatever frequency. Okay, if we’re fixing them but how do we stop introducing them? What are good ways to help that? It might be education tools, et cetera. Lots of ways to do that. So to both of your point, to your point too, Jill, don’t ask questions you’re not going to do something about the answer, right?
Britton: That’s right. That’s exactly right.
Ashley: So you have to take action on it and of course that’s ultimately why you’re doing it. You’re not just going through the motions to meet some paper standard because that will catch up with you very quick if you do something like that.
Britton: _____. It will. You’re absolutely right.
Foster: Just buying yourself technical debt and risk.
Ashley: Yeah, exactly. And it will catch up with you. How do you introduce this to some people words like process, standards, compliance, audits, anything with an ISO in front of it? Those kinds of things just sort of kick up the you’re cramping my style here, right? You’re putting a damper on my ability to be creative and write code. I’m bring a little bit hyperbolic, but not everybody reacts to those things favorably. How do you position this with organization so that it’s not just a dreaded thing we have to do, there’s actually really business value to it and it’s good for you and your career?
Britton: Well, the whole thing with following a process is the developers can be involved in this process and then go through their careers excel help develop this process. But the process shouldn’t be stifling. It should never stifle the creativity. The whole idea of the process is tell me what you do and how do you prove that’s what you do? Okay, that’s fine. Now maybe how can we tweak it and do a little better? It’s the pro thing of continuous improvement that comes up in all the audits.
We’re actually ISO 9001 certified. So we’re all going through this on a regular basis. You know, but we’re not trying to stifle our developers. They will say, “Well, okay, we have this process. It’s not quite working for us. Can we make some modifications?” We go, yeah, looks fine. We talk to the necessary people and usually it’s absolutely fine. So we involve the developers all the way through and they will then follow it because it’s their own process.
Foster: Yeah, I think the goal is the least amount of friction and introducing it over time. And as Jill said, there’s continuous improvement, right? It’s a long-term goal. It’s not something that’s done once and you get over the big hump of pain and it’s a ton of crunch work. It’s just something that you do over time. You look at agile development, right? People do standups. There’s processes, you know. There’s a level of documentation and planning that isn’t overly annoying. You know, the goal of DevOps is to automate a lot of those finicky processes so that they’re fast, they’re repeatable, they give time back, right? They report information back as quickly as possible so that they can be resolved quickly, right? That’s just lowering the friction, the pain of going back and fixing a feature or some sort of development commit, right? And then you’re just layering on another check layer of security, right? And it should be painless. It should be easy.
As you mature over time, then the quality is going to get better and that goes back to the metrics that Jill was mentioning, not just having a number but seeing that number go down. And then having your teams be able to see that kind of dashboard or information as a feedback mechanism to say, you know, you can visually see the qualities improving. You know, customer reports of issues from the field are going down because our quality is going up. Why? Not just because of security but because of all the automation and the unit tests and checks that you have written and you’ve made the effort to produce better quality code and it’s going to pay dividends.
Ashley: I like the idea of tying it a continuous improvement process whether you label that as quality or other things because you can apply that to your DevOps process, to your tool chain, to the quality of your code, safety, security, making compliance easier for you, just improving your overall how you write software, maybe workflows and things like that. So you can make some of these compliance activities or standards activities really part of just maturing your organization and getting better at what you do, working on the organization as well as in it.
Question for you, how do things like the privacy laws, you know, GDPR, CCPA for California, do those fall into this realm as well? Do they impact the developers as we’re talking about the use of customers’ information and of course we’re handling that in the applications? Is that something developers need to be that familiar with or is that more of the marketing department that are sending e-mails to people?
Britton: It’s not greatly down with the developers, but it really depends on the type of data that they’re handling. Looking at the tools that Stuart and I work with, we’re not getting/bringing in external tools because it’s a static analyst tool. So we’re not looking at that. But when you get to things in the field, the developers have to be aware if they are going to be handling personal information and they then do have to have GDPR and that has to be included into any process – how are we going to handle this.
Foster: Yeah, and there are coding rules that, you know, try to help with these types of things. You know not having hard coded secure passwords, not using magic numbers, various levels of encryption that should be written, or warnings that you’re using an outdated type of like encryption in your software, the ability to handle unvalidated inputs and outputs. Things like that are going to help cover some of the requirements for GDPR. So you need to kind of understand how your system is interacting with other systems and securing your APIs and all things like that. So it’s not just your piece of software at that point. Your developers need to be aware as to how your software is going to be used and implemented and how it’s going to communicate with other pieces of software or systems.
Britton: That brings us back to the weaknesses we were discussing earlier because there are weaknesses that actually cover that type of data.
Britton: What are you doing with it.
Ashley: Vulnerabilities in our software could lead to the loss of data. That could be a violation of those privacy laws of course, as well as other impacts, whatever it was. Well good. This has been a lot of fun. I’ve really enjoyed talking with you about this aspect of creating secure software. We’ve mentioned static code analysis and tools a little bit. I know this isn’t a commercial about Perforce, but would one of you just kind of position for us where in the process of what we talked about today where Perforce really plays in kind of your specialty in this area?
Foster: Yeah, sure. So in terms of our product which our static analysis products, both Klocwork and Helix QAC, we fit in many different areas of kind of a development pipeline and process. We exist to make sure vulnerabilities are found while the developer is currently typing their code on their desktop. We also fit in for gated checks and quality checks in your SI/CD pipelines so we can quickly report back issues and also your typical if you’re running a nightly on a server or if you’re deploying checks and building your software in the cloud and provision instances and any sort of thing like that. We’re basically available anywhere. So we help you shift left as far as you want. We provide those security checks anywhere just for the ability to drive what I would call continuous compliance.
Ashley: Excellent. Great. Well, Stuart, Jill, it’s been a lot of fun talking with you and hope everyone – wish you the best in your journey on creating even more secure software. We’ll speak with you again soon. Take care.
Foster: Awesome. Thanks, Mitch.