More Secure Code Development Practices

Security in Software: Best Practice in Code Development

(24.02.10) - Reports that a group of organisations, led by the SANS Institute and Mitre Group, are calling for corporate customers to request more secure code development practices from their software suppliers have been applauded by Fortify Software. The software security specialists says that the announcement by a consortium of more than 30 enterprise customers of software vendors is good news as it give companies the draft text for use in their procurement contracts with vendors.

"Best practice in code development has been under active discussion by the software vendor community for some time, but it's good to hear that the SANS Institute has grasped the bull by the horns, and done something practical about the issue," said Richard Kirk, Fortify's European director. "Our own observations suggest that a large number of successful hacker attacks are caused, in part, by software flaws, which give the hackers a small chink in an application's armour to prise open," he added.

According to Kirk, by encouraging companies to include suitable language in their procurement contracts, the consortium will hopefully drive the software development industry to adopt the best practices that a number of experts have been calling on for some time.

The Fortify director went on to say that, in his company's March 2009 report - 'Building in security in government software' - it recommended that the industry should adopt a best practice approach to software code development, building in security from the earliest point in an application's development and to conduct thorough security tests of software prior to acceptance.

The report, which was issued around the time of President's Obama's appointment of a federal chief technology officer, noted that the appointment - in the US at least - was an opportunity for government to adopt these best practices across the board. It was interesting, said Kirk, to read that former White House security advisor Howard Schmidt - and president of the Information Security Forum - commenting that, despite its excellent goals, the US Federal Information Security Management Act (FISMA) has not managed to solve the software development industry's security problems.

"But, as Fortify's founder and chief scientist Brian Chess also said at the time, if FISMA has done nothing else, it has helped to identify the problem," he explained. It's against this backdrop that Fortify is pleased to add its support to the SANS Institute-led call for more secure program code development, and the introduction of best practices in the application development industry.

"Changes of this type aren't going to happen overnight, as software vendors will have to engender new working practices in their code development operations," he said. "However, if their clients start mandating the use of best practices in their commercial agreements - through the use of the correct language in procurement contracts - then that is something we can wholly support," he added. (Fortify: ma)