Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security. At the start of the 2000s, software security was a small, arcane field that often was confused with security software. But several things happened in the early part of the decade that set in motion a major shift in the way people built software: the publication of Bill Gates’s Trustworthy Computing memo, the release of Building Secure Software and Writing Secure Code, and a wave of high-profile attacks such as Code Red and Nimda that forced Microsoft, and ultimately, other large software companies, to get religion about software security. To get some persepctive on how far things have come, Threatpost spoke with Gary McGraw of Cigital about the evolution of software security since 2001.
This is an edited transcript of a recorded conversation that Threatpost Editor Dennis Fisher had with McGraw.
In 2001, software security was really very new, and not many people knew about it or thought about it. In fact, I had a hard time even convincing my mom that it was a good thing to work on, but we got some momentum from the Java security issues that Ed Felten and I wrote about in the late ‘90s. And we were thinking to ourselves: “Why is it that these amazing guys like Guy Steele, who’s a phenomenal languages guy, and Bill Joy, who wrote Berkeley Unix–no hacks–screwed it up when it came to JAVA and security.” And if you were a developer – somebody who was building and designing, and implementing one of these systems – where would you go to learn how to do it right? And the answer was nowhere.
So that’s why we wrote Building Secure Software, which just happened to come out in 2001, you know, ten years ago – go figure. It was quickly followed by Microsoft’s first book, Writing Secure Code, that Mike Howard wrote with Steve Lipner. Remember, that was the time when Microsoft was completely getting hammered by Nimda, right after 9/11, and Code Red and all of the malware that was aimed at their incredibly vulnerable software. It became such a big deal that Bill Gates wrote the famous Trustworthy Computing Initiative memo.
The Early Days
So Bill Gates wrote that memo and really tried to turn the entire Microsoft boat a few degrees towards security, which is really cool. Now, ten years later Microsoft has made great strides in software security, and they have learned a lot of lessons that other people can emulate, and they’re publishing stuff and sharing stuff, so that’s pretty cool. So right about the middle of the ten years, five years in, everybody realized that the way to do this was to integrate stuff into your software development lifecycle. However, the process alone is not enough, and if you did anything to study large-scale software security initiatives of the sort that Microsoft Trustworthy Computing Initiative is one, then you could find out that you needed more than just process to attain software security. So we created the first version of the BSIMM, in 2009, by describing the observations that we made – describing facts about software security initiatives out there.
The reason this is important is because when you start a field out, like we did in 2001 with the philosophy, there’s an awful lot of cheerleading and evangelism and advocacy, and there are a lot of people with good ideas, and ideas are great, that’s really important for booting a field. However, ten years later, the time comes to turn the corner to science, and to talk about facts, and how things work – to talk about large-scale enterprises approach to this problem, and how you garner resources, the politics involved, and all that stuff. And there a lot of people that are working every day professionally doing software security.
So we’ve turned the corner from kind a philosophy and an idea, and then a process approach to an actual enterprise software security initiative description and science that makes sense. So that’s extremely cool.One of the funny things about security is, often if you’ve been in computer security for 10 or 15 years, you turn into this sort of a cynical curmudgeon. I’m actually sort of an optimistic guy; I think that we’ve made a huge amount of progress in software security in the last decade. Now we are not done, and we have, by no means, solved the problems, but boy have we made great progress.
The Current Landscape
What has changed is that we now know how to accomplish some of those large-scale principles and goals by building better software and avoiding vulnerabilities. Another important change, although we haven’t made quite as much progress, is in the notion of looking at design, and trying to find design flaws and eradicate those early in the lifecycle. You know, Microsoft has an approach called Threat Modeling, we had something called Architectural Risk Analysis, and basically they’re the same idea: let’s take a look at this design, at a forest level view, and make sure that the forest looks secure and not just all of the trees in the forest. And we’ve made a lot of progress there, too.
Then, finally, I think that those people who have thought about how systems break, have done a lot to move the field forward, too. Because if you know how your system will be attacked and what sort of shape attacks will take, then, and only then, can you build the fences that actually work.
The main thing I’d like to see in software security is a better set of programming languages themselves. So in 2001, C was a disaster, C++ was a disaster, Java was getting better, .NET was getting even better. You know, we’ve been moving slowly towards languages that at least have different sorts of vulnerabilities built into them, and make the job of software security easier. So I’d like to see a whole new class of languages that are designed with security right up front. And maybe we can get that accomplished in ten years. I’ve talked to Bill Joy about whether that’s possible, and we sort of wonder, but it might be possible.
Then I also think that some of the lessons that we’ve learned among the early adopters – you know, these 42 firms that we’ve studied, that are large enterprises – show us that you can, in fact, build a software security initiative that gets stuff accomplished, and makes forward progress. And we can take those ideas and spread it to the rest of the world. So I think the notion of having the Fortune 1,000 all doing software security is not outside the realm of possibility, and sort of the vast middle market is just beginning to develop for software security stuff. So I think you’ll see the field just grow and expand, and people – even consumers understanding about the field will go up.
Gary McGraw is the CTO of Cigital and the co-author of Building Secure Software, Software Security, Exploiting Software and other books.