Professional Documents
Culture Documents
Rethinking Product
Attack-Resistant Software:
Necessary but Insufficient
Eric Baize | EMC Corp. For technology providers, devel-
oping attack-resistant software is a
core element of their product secu-
rity program. It’s also part of their
overall goal of minimizing the risk
88 May/June 2012 Copublished by the IEEE Computer and Reliability Societies 1540-7993/12/$31.00 © 2012 IEEE
This leaves technology provid- and monitored independently from
ers with a dual challenge. First, they secure software development. For
must make secure software devel- instance, source code protection is PURPOSE: The IEEE Computer Society is the world’s
opment practices more efficient and typically part of intellectual-property largest association of computing professionals and is the
more systematic. Second, they must protection, a major focus for tech- leading provider of technical information in the field.
MEMBERSHIP: Members receive the monthly magazine
expand the threat assumptions that nology vendors. Computer, discounts, and opportunities to serve (all activities
guide the implementation of the To bridge this gap, EMC has are led by volunteer members). Membership is open to
traditional secure software develop- expanded its product security stan- all IEEE members, affiliate society members, and others
interested in the computer field.
ment life cycle to account for pos- dards to encompass these practices. COMPUTER SOCIETY WEBSITE: www.computer.org
sible attacks on the software supply So, the product risk review stage of
Next Board Meeting: 11–15 June, Seattle, Wash., USA
chain. our secure software development
life cycle now also assesses practices EXECUTIVE COMMITTEE
President: John W. Walz*
Expanding the Secure Software for source code management, code President-Elect: David Alan Grier;* Past President: Sorel
Development Life Cycle signing, and external-component Reisman;* VP, Standards Activities: Charlene (Chuck) Walrad;†
Expanding the threat assumptions management. Secretary: Andre Ivanov (2nd VP);* VP, Educational Activities:
Elizabeth L. Burd;* VP, Member & Geographic Activities:
in this manner leads to consider- Product security and internal IT Sattupathuv Sankaran;† VP, Publications: Tom M. Conte (1st VP);*
ing new categories of attacks. This security are now converging, with a VP, Professional Activities: Paul K. Joannou;* VP, Technical &
might include attacks against serious impact on technology ven- Conference Activities: Paul R. Croll;† Treasurer: James W. Moore,
CSDP;* 2011–2012 IEEE Division VIII Director: Susan K. (Kathy)
dors’ organizational design and risk Land, CSDP;† 2012–2013 IEEE Division V Director: James W. Moore,
■■ product code during development, governance. CSDP;† 2012 IEEE Division Director VIII Director-Elect: Roger U.
■■ any supplier or original equipment Fujii†
*voting member of the Board of Governors †nonvoting member
manufacturer (OEM) involved in A More Integrated Risk
BOARD OF GOVERNORS
developing the product’s software Governance Model Term Expiring 2012: Elizabeth L. Burd, Thomas M. Conte, Frank
components, or Many end-user organizations, such E. Ferrante, Jean-Luc Gaudiot, Paul K. Joannou, Luis Kun, James W.
■■ the product distribution channels. as financial institutions, have a soft- Moore, William (Bill) Pitts
Term Expiring 2013: Pierre Bourque, Dennis J. Frailey, Atsuhiro
ware security group focused on Goto, André Ivanov, Dejan S. Milojicic, Paolo Montuschi, Jane Chu
The secure software develop- the software they develop and use Prey, Charlene (Chuck) Walrad
ment life cycle has been the main as part of their IT infrastructure. EXECUTIVE STAFF
vehicle technology vendors have These groups are typically aligned Executive Director: Angela R. Burgess; Associate Executive Director,
used to drive adoption of secure with the organization’s IT secu- Director, Governance: Anne Marie Kelly; Director, Finance & Accounting:
John Miller; Director, Information Technology & Services: Ray Kahn;
software development techniques rity group and follow the same IT Director, Membership Development: Violet S. Doan; Director, Products
in their engineering organizations. risk governance and compliance & Services: Evan Butterfield; Director, Sales & Marketing: Chris Jensen
It’s well suited to also drive the con- policies and standards that manage COMPUTER SOCIETY OFFICES
trols that protect against the attacks the overall risk in the internal IT Washington, D.C.: 2001 L St., Ste. 700, Washington, D.C. 20036-4928
I just mentioned: infrastructure. Phone: +1 202 371 0101 • Fax: +1 202 728 9614
Email: hq.ofc@computer.org
Many technology providers Los Alamitos: 10662 Los Vaqueros Circle, Los Alamitos, CA 90720-1314 •
■■ protection of the overall product are different. They have a prod- Phone: +1 714 821 8380 • Email: help@computer.org
development environment, focus- uct security group distinct from Membership & Publication Orders
Phone: +1 800 272 6657 • Fax: +1 714 821 4641 • Email: help@computer.org
ing on not only avoiding source the IT security group and respon- Asia/Pacific: Watanabe Building, 1-4-2 Minami-Aoyama, Minato-ku, Tokyo
code leakage but also prevent- sible for secure software develop- 107-0062, Japan • Phone: +81 3 3408 3118 • Fax: +81 3 3408 3553 •
ing unauthorized source code ment and vulnerability response Email: tokyo.ofc@computer.org
www.computer.org/security 89
BUILDING SECURITY IN
on their internal IT infrastructure third party is compromised, so is can distinguish legitimate input
applications supporting their cus- the system’s entire security. Such from input containing a malicious
tomers’ critical business processes. designs have serious limitations if string. We’ve done the hard work,
Their internal IT infrastructure you assume that every computer in but with a little more effort, we can
is becoming an extension of their the environment in which the sys- greatly improve the response time
customers’ IT infrastructure. This tem operates is compromised. to a real-time attack. If secure soft-
makes it more difficult for them to This gives new life to old concepts ware can detect and stop malicious
distinguish internal IT risk from such as Adi Shamir’s secret sharing9 strings, it can and should also log
risk on customers’ IT infrastructure. and secure multiparty computation.10 and report incidents that are being
The need to take a holistic approach Applying these concepts in secure prevented. This will provide the
to product risk is accelerating this software design leads to systems in intelligence that security products
transformation. which compromising one system need to better monitor activity and
This led EMC to profoundly element doesn’t compromise the ensure quick attention, which can
change its risk manage- lead to prevention of data
ment approach. First, we
Defensive software development techniques breaches.
integrated product secu- As I mentioned
rity in our overall risk gov- alone won’t be sufficient. We need to before, if the software is
ernance and compliance the new firewall, it must
innovate and develop new techniques
structure, facilitating the take a more active role in
coordination between to build “attack-aware products.” the defense strategy in an
all the risk stakehold- IT infrastructure. It must
ers in the corporation. also build on top of tra-
Second, we created the position of system’s overall security. RSA Labo- ditional software security defense
chief risk officer (a position popular ratories’ work provides early dem- techniques to better detect attacks
in the financial-services industry) onstrations of such systems applied in their early stage.
to oversee all risk-related func- to authentication.11
tions, including product security. We should also expect to see Securing the Ecosystem
This new structure, along with our more software integrity controls Modern IT infrastructures run on
expanded secure software develop- being built into products. Tech- software that’s open, component
ment life cycle, sets us up for holis- niques such as Intel’s Trusted Exe- based, and multivendor. Even if
tically assessing and reviewing all cution Technology and application the largest technology providers
aspects of risk. whitelisting enable runtime check- are investing millions of dollars to
ing of executable integrity. They solve the software security equa-
The Road Ahead for also help further defend against the tion, attackers need only exploit one
Product Security insertion of malicious software in 0-day vulnerability in one software
Better governance and an expanded the product delivery chain. component to be successful.
secure software development life Software security must become
cycle are only the first steps toward Building Attack- ubiquitous, designed into modern
the broader changes needed in soft- Aware Products software components, and acces-
ware engineering and across the In a world with APTs, early detec- sible to any software developer.
industry regarding how to build tion is critical in stopping attacks. Software security expertise remains
and deliver products that effectively Defensive software development too centralized, in the hands of a few
resist APTs. We, as software security techniques alone won’t be sufficient. experts in the largest organizations.
practitioners, have an opportunity We need to innovate and develop Microsoft led the way by sharing
to innovate and collaborate to bet- new techniques to build “attack- early on many aspects of its Security
ter prepare our products to address aware products” that facilitate early Development Lifecycle.5 In recent
this new class of threats. detection of advanced threats. years, initiatives have emerged to
Software security practitioners share with the broader community
Adapting Secure Software have made great progress incorpo- the insight of some of the most suc-
Design Techniques to rating into software the techniques cessful software security practices.
the New Threats that stop attacks targeting the most Here are two examples:
Many security designs still rely on common security flaws: SQL injec-
a trusted third party holding the tion, cross-site scripting, and buffer ■■ BSIMM (Building Security In
master keys to the kingdom. If this overflow. Most modern software Maturity Model; www.bsimm.
www.computer.org/security 91
BUILDING SECURITY IN
Practices in Use Today,” SAFE- 7. “Claims by Anonymous about Short Secrets,” Proc. 12th Usenix
Code, 8 Feb. 2011; www.safecode. Symantec Source Code,” Syman- Security Symp. (SSYM 03), Usenix
org/publications/SAFECode tec, Jan. 2012; www.symantec. Assoc., 2003, pp. 201–214.
_Dev_Practices0211.pdf. com/theme.jsp?themeid 12. G. McGraw, B. Chess, and S.
5. M. Howard and S. Lipner, The Secu- =anonymous-code-claims. Migues, “Building Security In
rity Development Life Cycle, Micro- 8. “Software Integrity Controls: An Maturity Model,” Sept. 2011;
soft Press, 2006. Assurance-Based Approach to Min- http://bsimm.com.
6. D. Dhillon, “Developer-Driven imizing Risks in the Software Supply 13. “Open Trusted Technology Pro-
Threat Modeling: Lessons Learned Chain,” SAFECode, 14 June 2010; vider Standard (O-TTPS) Snap-
in the Trenches,” IEEE Security & www.safecode.org/publications/ shot,” Open Group, Feb. 2012;
Privacy, vol. 9, no. 4, 2011, pp. 41–47. SAFECode_Software_Integrity www.opengroup.org/bookstore/
_Controls0610.pdf. catalog/s121.htm.
9. A. Shamir, “How to Share a
Secret,” Comm. ACM, vol. 22, Eric Baize is the senior director and
no. 11, 1979, pp. 612–613; head of the EMC Corporation’s
Any comments or feedback?
Please email your letters to the editor to doi:10.1145/359168.359176. Product Security Office. He rep-
lead editor Kathy Clark-Fisher 10. A.C. Yao, “Protocols for Secure resents EMC on the SAFECode
(kclark-fisher@computer.org). Computations” (extended abstract), (Software Assurance Forum for
All letters will be edited for
Proc. 23rd Ann. Symp. Foundations of Excellence in Code) board of direc-
brevity, clarity, and language.
Computer Science, IEEE CS, 1982, tors and serves on the BSIMM
pp. 160–164. (Building Security In Maturity
11. J. Brainard et al., “A New Two-Server Model) advisory board. Contact
Approach for Authentication with him at eric.baize@emc.com.
IEEE_half_horizontal_Q6:Layout 1 4/21/11 4:21 PM Page 1
http://www.computer.org/jobs
The IEEE Computer Society is a partner in the AIP Career Network, a collection of online job sites for scientists, engineers, and
computing professionals. Other partners include Physics Today, the American Association of Physicists in Medicine (AAPM), American
Association of Physics Teachers (AAPT), American Physical Society (APS), AVS Science and Technology, and the Society of Physics
Students (SPS) and Sigma Pi Sigma.