Initiative Advocates Building Security In from the Start

NEWS AT SEI

This article was originally published in News at SEI on: March 1, 2006

To improve efficiency, organizations today promote integration through networked systems. Yet when they do so, they increase the risk of intrusion and compromise if software is not secure. Integrating software and system security can mitigate the risk. The Build Security In (BSI) Software Assurance Initiative seeks to alter the way software is developed so that it is less vulnerable to attack and security is “built in” from the start.

Typical software development life-cycle models are not focused on creating secure systems and exhibit shortcomings when the goal is to develop systems with a high degree of assurance [Marmor-Squires 88]. If addressed at all, security is often relegated to a separate thread of project activity in which it is treated as an add-on property [Mead 01].

“Security considerations should not be treated separately from primary system-development tasks,” says Nancy Mead, senior member of the technical staff at the SEI CERT Program and technical lead of the BSI initiative. “To develop systems with required functionality and performance that can also withstand failures and compromises, security should be integrated and treated the same as other system properties. Important requirements and design decisions and tradeoffs become more difficult when security is not integrated into the primary development life cycle.”

Separate threads of activities are expensive and labor intensive, often resulting in duplicated effort in design and documentation. In addition, tools for supporting security engineering are often not integrated, and technologies that support security goals such as formal specification, architecture tradeoff methods, intrusion analysis, and security design patterns are not effectively applied into the development process. When security is treated separately, it becomes more difficult to adequately assess the risks and consequences of failure.

“For each life-cycle activity,” says Mead, “security goals should be addressed and methods to ensure security should be incorporated.”

One way of illustrating a life-cycle approach that incorporates security into each major activity is shown in Figure 1. The emphasis is on artifacts, and the activities support production of the artifacts.

Figure 1: Incorporating Security into Life-Cycle Activities

Figure 1: Incorporating Security into Life-Cycle Activities

Building Security In

Many reported security incidents are the result of exploits against defects in the design or code of software, and many security efforts attempt retroactively to bolt on devices that make it more difficult for those defects to be exploited. But this approach does not address the root problem or threat.

BSI is a project of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). NCSD has sponsored development and collection of software-assurance and software-security information that will help software developers and architects create secure systems.

“We saw the need to create awareness of software security in a number of audiences,” says Joe Jarzombek, director for software assurance at NCSD. “New software developers, acquisition professionals, and managers, for example, sometimes don’t understand their roles in making software secure, and our initiative will eventually provide each of these groups and others with tools they can use to incorporate security considerations from the earliest stages of a project.”

As part of the initiative, BSI published an online content catalog, which is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software-development life cycle. The catalog contains or links to a broad range of information about best practices, tools, guidelines, rules, principles, and other knowledge to help organizations build secure and reliable software.

BSI Content Catalog

The BSI catalog organizes material in categories of best practices, knowledge, and tools.

Best Practices

architecture and analysis
assembly, integration and evaluation
code analysis
deployment and operations
incident management
measurement
penetration testing
project management
requirements engineering
risk management
security testing
threat modeling
training and awareness
white box testing

Knowledge

attack patterns
business relevance
coding practices
coding rules
guidelines
historical risks
principles
SDLC process

Tools

black box testing
modeling
source code analysis

Best Practices

A significant portion of the BSI site is devoted to best practices that can provide the biggest return considering current best thinking, available technology, and industry practice.

Knowledge

Software defects with security ramifications—including implementation bugs and design flaws such as buffer overflows and inconsistent error handling—are likely to persist. The BSI team has identified recurring patterns of software defects that lead to vulnerabilities and has documented detailed instructions on how to produce software without these defects.

Tools

The BSI site describes tools that can help eliminate defects before code is released. The site currently covers black-box testing and source-code analysis tools; a modeling-tools topic is slated for future development.

Users can approach the online content in several ways. For example, a software engineer might use the catalog to determine applicable security guidelines, while an architect might use it to determine how to design a Web-services application in a secure fashion, and a development team leader might use the information to justify software-assurance techniques to management by building a business case.

Outreach and Further Development

To help ensure that this software assurance initiative is accepted and supported by software-development organizations, DHS NCSD involved participants from industry, academia, and government. A Software Technical Working Group (STWG) reviewed the catalog content and continues to develop future content for the site.

Outreach activity includes a series of NCSD workshops and working-group sessions at which participants can receive and share information about software-assurance resources. Feedback from users of the content catalog, both at workshops and online, will be used to further develop or modify the content.

The initiative also plans to continually add to and update content on the Web site. For example, Version 1.0of Secure Software Assurance: A Guide to the Common Body of Knowledge and Security in the Software Lifecycle, a developers guide, will be released soon and posted on the BSI Web site.

To learn more about the Build Security In initiative, see the Web site.

References

[Marmor-Squires 88]
Marmor-Squires, A. B. and P. A. Rougeau. “Issues in Process Models and Integrated Environments for Trusted Systems Development,” 109-113. Proceedings of the 11th National Computer Security Conference. Fort George G. Meade, MD, Oct. 17-20, 1988. Washington, D.C.: United States Government Printing Office, 1988.

[Mead 01]
Mead, N. R., R.C. Linger, J. McHugh, and H.F. Lipson. “Managing Software Development for Survivable Systems.” Annals of Software Engineering 2 (2001): 45-78.

Find Us Here

Find us on Youtube  Find us on LinkedIn  Find us on twitter  Find us on Facebook

Share This Page

Share on Facebook  Send to your Twitter page  Save to del.ico.us  Save to LinkedIn  Digg this  Stumble this page.  Add to Technorati favorites  Save this page on your Google Home Page 

For more information

Contact Us

info@sei.cmu.edu

412-268-5800

Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.