NEWS AT SEI
This article was originally published in News at SEI on: March 1, 2006
To improve efficiency, organizations today promote integration through networked systems. Yet when they do so, they increase the risk of intrusion and compromise if software is not secure. Integrating software and system security can mitigate the risk. The Build Security In (BSI) Software Assurance Initiative seeks to alter the way software is developed so that it is less vulnerable to attack and security is “built in” from the start.
Typical software development life-cycle models are not focused on creating secure systems and exhibit shortcomings when the goal is to develop systems with a high degree of assurance [Marmor-Squires 88]. If addressed at all, security is often relegated to a separate thread of project activity in which it is treated as an add-on property [Mead 01].
“Security considerations should not be treated separately from primary system-development tasks,” says Nancy Mead, senior member of the technical staff at the SEI CERT Program and technical lead of the BSI initiative. “To develop systems with required functionality and performance that can also withstand failures and compromises, security should be integrated and treated the same as other system properties. Important requirements and design decisions and tradeoffs become more difficult when security is not integrated into the primary development life cycle.”
Separate threads of activities are expensive and labor intensive, often resulting in duplicated effort in design and documentation. In addition, tools for supporting security engineering are often not integrated, and technologies that support security goals such as formal specification, architecture tradeoff methods, intrusion analysis, and security design patterns are not effectively applied into the development process. When security is treated separately, it becomes more difficult to adequately assess the risks and consequences of failure.
“For each life-cycle activity,” says Mead, “security goals should be addressed and methods to ensure security should be incorporated.”
One way of illustrating a life-cycle approach that incorporates security into each major activity is shown in Figure 1. The emphasis is on artifacts, and the activities support production of the artifacts.
Many reported security incidents are the result of exploits against defects in the design or code of software, and many security efforts attempt retroactively to bolt on devices that make it more difficult for those defects to be exploited. But this approach does not address the root problem or threat.
BSI is a project of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). NCSD has sponsored development and collection of software-assurance and software-security information that will help software developers and architects create secure systems.
“We saw the need to create awareness of software security in a number of audiences,” says Joe Jarzombek, director for software assurance at NCSD. “New software developers, acquisition professionals, and managers, for example, sometimes don’t understand their roles in making software secure, and our initiative will eventually provide each of these groups and others with tools they can use to incorporate security considerations from the earliest stages of a project.”
As part of the initiative, BSI published an online content catalog, which is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software-development life cycle. The catalog contains or links to a broad range of information about best practices, tools, guidelines, rules, principles, and other knowledge to help organizations build secure and reliable software.
The BSI catalog organizes material in categories of best practices, knowledge, and tools.
architecture and analysis
black box testing
A significant portion of the BSI site is devoted to best practices that can provide the biggest return considering current best thinking, available technology, and industry practice.
Software defects with security ramifications—including implementation bugs and design flaws such as buffer overflows and inconsistent error handling—are likely to persist. The BSI team has identified recurring patterns of software defects that lead to vulnerabilities and has documented detailed instructions on how to produce software without these defects.
The BSI site describes tools that can help eliminate defects before code is released. The site currently covers black-box testing and source-code analysis tools; a modeling-tools topic is slated for future development.
Users can approach the online content in several ways. For example, a software engineer might use the catalog to determine applicable security guidelines, while an architect might use it to determine how to design a Web-services application in a secure fashion, and a development team leader might use the information to justify software-assurance techniques to management by building a business case.
To help ensure that this software assurance initiative is accepted and supported by software-development organizations, DHS NCSD involved participants from industry, academia, and government. A Software Technical Working Group (STWG) reviewed the catalog content and continues to develop future content for the site.
Outreach activity includes a series of NCSD workshops and working-group sessions at which participants can receive and share information about software-assurance resources. Feedback from users of the content catalog, both at workshops and online, will be used to further develop or modify the content.
The initiative also plans to continually add to and update content on the Web site. For example, Version 1.0of Secure Software Assurance: A Guide to the Common Body of Knowledge and Security in the Software Lifecycle, a developers guide, will be released soon and posted on the BSI Web site.
To learn more about the Build Security In initiative, see the Web site.
Marmor-Squires, A. B. and P. A. Rougeau. “Issues in Process Models and Integrated Environments for Trusted Systems Development,” 109-113. Proceedings of the 11th National Computer Security Conference. Fort George G. Meade, MD, Oct. 17-20, 1988. Washington, D.C.: United States Government Printing Office, 1988.
Mead, N. R., R.C. Linger, J. McHugh, and H.F. Lipson. “Managing Software Development for Survivable Systems.” Annals of Software Engineering 2 (2001): 45-78.
For more information
Please tell us what you
think with this short
(< 5 minute) survey.