Most flaws in software result in quality problems that can lead to security vulnerabilities. Incremental changes in functional and quality testing, however, can lead to improved software quality and security while also reducing costs.
“Two-thirds of problems in software are because somebody did something wrong, like not properly validating user input, that led to functional problems,” said Andrew Murren, CISSP, CSSLP, Sila Solutions Group, a technology and management consultancy, Arlington, VA.
The root causes of approximately 67 percent of software security weaknesses and potential vulnerabilities are functional issues. Studies done by the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University, have found a direct relationship between software quality and software security. Studies have also determined that:
- One-to-five percent of delivered defects are security vulnerabilities;
- Approximately 60 percent of all defects are not due to coding;
- Low-dependability software costs about 50 percent more to maintain than to develop;
- High-dependability software costs about 15 percent less to maintain than to develop; and
- Developers doing maintenance after software has been released spend 50-60 percent of their time trying to understand the code. Other studies have found that developers with disciplined personal practices can reduce defect introduction rates by up to 75 percent. This means that individual developers who follow good coding practices can significantly reduce the number of defects they introduce, irrespective of poor development habits by other developers or organizational resistance to rigorous development practices.
Here are six steps software developers can take to improve security through quality.
- Enforce the use of consistent coding standards: The coding style guide should be language specific and cover items like file-naming conventions, the representation of non-ASCII characters and the use of wild card imports. Also, don’t add rules that don’t improve consistency, reliability, maintenance or security.
- Use automated testing tools: This includes code checking in the integrated development environment with analysis tools like FxCop, Checkstyle and JUnit.
- Test for things you don’t want (negative testing) not just what you want (positive testing): Testing must include tests for mistakes by users (such as typing a “q” instead of “1” for a phone number, for example) and when things go wrong (such as when a file cannot be opened).
- Build and share libraries for common tasks such as validating user input: Write, maintain, and share libraries for doing common tasks, especially ones that are hard to get right such as input validation of common items such as names and phone numbers.
- Take advantage of code reviews: Peer reviews can catch more than half of all defects, they help enforce the use of consistent coding standards, and are useful as a learning and training tool.
- Add security related requirements and test cases from the very beginning of the process: Classify security requirements, such as input validation, as functional requirements instead of non-functional requirements. Develop use cases (what you want), misuse cases (what you don’t want), and abuse cases (what an attacker could do). Include white lists (what is allow) instead of black lists (what is not allowed). Don’t trust anyone or anything until it is verified, and use approved encryption for data-at-rest and data-in-transit.
Murren said that software developers should live by the watchwords, “poor code equals insecure code.” To emphasize that improving software quality and security is a long process and should be done incrementally and deliberately, Murren added: “Improving quality and security follow the same principle used for eating an elephant, it is done one bite a time.”