O'Reilly logo

Core Software Security by Anmol Misra, James Ransome

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

xiii
The global cyber security threat is increasing on a regular basis, if not
daily. The recurring question is how we address the current threat of global
cyber security. The authors have aptly named their book in response to
this question, in that the answer is to create software that has as mini-
mal vulnerabilities as possible. In other words, focus on securing at the
source first, instead of taking shortcuts by only trying to secure network
infrastructure. Perimeter security and defense-in-depth have their place
in security, but software security is the first line of defense and should
come first. If you have fewer vulnerabilities at the source, it also takes out
the financial benefit of nation states or organized crime stockpiling cyber
weapons based on current vulnerabilities. Not only must we get better
at it, we must make the solutions cost-effective, operationally relevant,
and feasible, based on real-world experience, and worth the investment.
Securing at the source requires securing the software, which is at the
heart of cyber infrastructure. One of the things we have been constantly
facing over the last 20 years is that software has become a critical com-
ponent of every part of our critical infrastructure and everyday lives. We
are already seeing software embedded within a vast variety of things we
use in our daily lives—from smart meters in our home to cars we drive.
Unfortunately, software security has not evolved at the same pace, and
many software products are still developed in an environment with the
intent that they fix the problem after release rather than doing it right the
first time around. There are two major issues with this:
1. There are no shortages of threats out there today; therefore, people
who are looking to exploit software vulnerabilities have a pretty
Foreword
fertile field in which to work. As a consequence, we have to make
sure we are doing better vulnerability management. We also have to
look toward the future and ask ourselves, “How can we avoid having
these types of vulnerabilities in future generations of software that
we are increasingly dependent on? The answer to this question is
particularly important because it is very beneficial to companies to
reduce these vulnerabilities and to stop them during the software
development process. It is significantly less expensive to build security
in through the use of a SDL than to come back and fix it post-release.
2. The second issue is that we need to start looking at a whole genera-
tion of what is referred to aszero-day vulnerabilities. If we can
eliminate the likelihood of finding a zero day by not allowing the
vulnerabilities to take place from the very beginning by adhering
to the best practices of a solid SDL, it will save companies money,
make the software and its users more secure, the critical infrastruc-
ture more resilient, and overall, more beneficial to us all.
As the Executive Director of the Software Assurance Forum for
Excellence in Code (SAFECode), a nonprofit organization dedicated
exclusively to increasing trust in information and communications
technology products and services through the advancement of effective
software assurance methods, I currently have a major focus on security
training for developers. The lack of security awareness and education
among the software engineering workforce can be a significant obsta-
cle to organizations working to implement software security programs.
However, better training for software developers so they have the skills
needed to write secure code is just one of the variables in the software
security equation. Software projects are under the constraints of costs
and tight timelines. In those situations, it is inevitable that security is sac-
rificed somewhere because of shortcuts taken. Cost, time, and resources
are typically the triad of software development supporting security, and
if you sacrifice one of the three, security and quality suffer. A software
development environment is built around a programmer who is pressured
on every side to work faster, to cut corners, and to produce more code at
the expense of security and quality.
It is impossible to have 100 percent security, but the developers and
their management should always strive to maximize the mitigation of
risk. It is about making it so difficult to access in an unauthorized man-
ner that adversaries:
xiv Core Software Security

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required