|Over the last few weeks, we’ve been discussing the importance of holistic thinking when considering our digital transformation. How do you focus on delivering new value rather than simply delivering new things? Last time I discussed the need to create time for innovation by making tools such as Klocwork available to software engineers. Borrowing from Joshua Kerievsky’s modern agile principles, this article focuses on security (safety) as a prerequisite.|
The use of the word “prerequisite” is deliberate versus stating security as a priority. That’s because, if security is viewed as a priority, it could then somehow be prioritized lower than say a slick new UI. As an industry, we have learned that we cannot test for security after development. Instead, we need to build security into our products.
In other words, security is a prerequisite before we even begin to design and code our products.
Unfortunately, most software developers are set up poorly when it comes to security. Some vertical markets with mission-critical applications such as healthcare and the payment card industry (PCI), require secure code reviews to systemically improve their situations. The PCI Security Standards Council clarified Requirement 6.6 on code reviews and stated that they did not have to be limited to manual reviews and recommended four options:
• Manual review of application source code
• Proper use of automated application source code analyzer (scanning) tools
• Manual web application security vulnerability assessment
• Proper use of automated web application security vulnerability assessment (scanning) tools
How to improve code security
My recommendation is to combine these options and mix in manual inspection with scanning tools. The manual step ensures that flaws in design and architecture may be found that automated tools cannot uncover. Automated code reviews can quickly detect hundreds of vulnerabilities that include SQL injection and cross-site scripting in large chunks of code. Furthermore, working with continuous integration (CI) systems such as Jenkins, your teams can analyze incremental code changes allowing you to find issues that matter to you much more quickly.
Klocwork highlights many issues including buffer overflow, un-validated user input, SQL injection, path injection, file injection, cross-site scripting, information leakage, and weak encryption. And Klocwork does this in a sophisticated way. For example, when analyzing for a SQL injection vulnerability, it can trace back through the code to the point where the parameters of the function call were obtained. The tool then determines whether an input was used in a SQL query string without being escaped as it should, or be cleaned up to ensure there are no commands inside that data that could cause unintended behavior.
If you are dealing with large scale in-memory applications such as SAP HANA, our TotalView product helps uncover memory leaks when dealing with hundreds of thousands of processes and threads.
Regardless of the tools and processes you use, the key is to make safety a prerequisite for both your developers and your customers. Innovate with confidence.