To keep up with businesses’ in-house secure development standards, third-party vendors are being expected to supply enterprise clients with increasingly secure code, according to software industry onlookers. A recent Dark Reading article profiled the coding expectations at Fidelity Investments, which has made secure software development a central business priority.
The company has used secure coding practices such as code review since it first began introducing web applications in 1997, the publication reported. Since joining the Building Security In Maturity Model (BSIMM) program, an ongoing study and security measurement program overseen by software consultancy Cigital, the company has allocated additional resources toward security testing and architecture. Fidelity uses static analysis tools and penetration testing to secure its software, and it reports an improvement in the number of vulnerabilities spotted.
“Our culture takes security very seriously, and we have a lot of support from executive management,” David Smith, vice president of application security for Fidelity, told Dark Reading. “We require that all of our code gets secure code reviewed prior to adoption.”
Rise in secure third-party development
These practices may be trickling down to smaller firms, Dark Reading suggested. The article highlighted a study from one security testing provider that showed the number of vendors getting their applications security-tested grew nearly 50 percent from January 2011 to June 2012. A separate Dark Reading article pointed to BSIMM research that suggests larger enterprises are including software security expectations in their service agreements.
“Firms are saying, ‘I know you, software producer, don’t have security compliance requirements, but I have compliance requirements out the wazoo, and you can no longer sell me software that makes it difficult for me to achieve compliance,” Sammy Migues, a principal at Cigital, told Dark Reading.
When companies outsource aspects of software development, they run a risk of relying on code from vendors who do not institute the same quality of secure coding standards, several experts told Dark Reading. The best way for larger enterprises to combat this trend is to have a standard policy for software vendors. Organizations may also want to take responsibility for verifying the security of third-party code using analysis tools. Vendors, on the other hand, can preempt these expectations by implementing secure coding practices of their own.
“In the early days, security was always an afterthought,” Mano Paul, software assurance adviser for the ISC2, told Dark Reading. “Now security is being asked for and mandated by regulations and other driving forces.”
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.