HOME > SECURITY RESOURCES > WHITE PAPER ABSTRACT
These library resources require an Ounce Labs ID. Log in or register.
Secure at the Source:
Implementing Source Code Vulnerability Testing in the Software Development Life Cycle
Author
RYAN BERG - Co-Founder and Chief Scientist, Ounce Labs
Abstract
This paper documents a series of workflow models to help guide how automated source code analysis can be implemented into an existing development process.
Overview
Organizations should implement source code [analysis] tools as part of the software development life cycle to find and fix the highest number of security issues early in the project. This will result in a higher-quality product and lower overall application life cycle costs. Gartner Research(1)
Countless studies and analyst recommendations suggest the value of improving software security during the development life cycle (SDLC) rather than trying to address security vulnerabilities in software discovered after widespread adoption and deployment. The justification is clear.
For software vendors, costs are incurred both directly and indirectly from security vulnerabilities found in their products. Reassigning development resources to create and distribute patches can often cost software vendors millions of dollars, while successful exploits of even a single vulnerability have in some cases caused billions of dollars in losses to businesses worldwide. Vendors blamed for security vulnerabilities in their product's source code face losses in credibility, brand image, and competitive advantage. A study in 2005 by Carnegie-Mellon found that the stock price of vendors declined an average of .63 percent compared to the NASDAQ after a security vulnerability is discovered in their software.(2)
Studies with this level of detail are not available for flaws found in custom enterprise software developed in-house or outsourced, but in all cases there is agreement that the earlier in the life cycle that vulnerabilities are discovered, the cheaper they are to address. Research published by B. Boehm and V. Basali in IEEE Computer found that fixing a software defect after deployment costs more than 100 times what it would have cost to fix it at the first stages of the development life cycle.(3) For security defects, late-stage costs are often much higher, because in addition to having to remediate the flaws, successful exploits may lead to data theft, sabotage, or other attacks.
Automated source code analysis is widely recognized as the most effective method of source code security testing early in the life cycle, because it allows assessments of any piece of code without requiring a completed application. The best of these technologies provide the most valuable results by pinpointing each security vulnerability at the precise line of code and detailing information about the type of flaw, degree of criticality, and how to fix it. In addition to automated source code analysis, penetration testing is an important element of software security, but its value comes later in the life cycle, when it can be used on a completed application with a functional interface.
In this whitepaper:
- Roadblocks to Building Security In
- Core Responsibilities
- I: Independent Model
- II: Distributed Model
- III: Centralized Model
- Choosing the Right Model
- Appendix I: Case Study Using the Centralized Model
1 "Implement Source Code Security Scanning Tools to Improve Application Security," Amrit Williams, Gartner (4/4/06)
2 "Study: Flaw disclosure hurts software maker's stock," Robert Lemos, SecurityFocus (06/06/05)
3 "Software Defect Reduction Top 10 List," B. Boehm and V. Basili, IEEE (01/2001)