Mission possible: Securing the software system, redefining 'high risk'

1Editor’s note: So are high-risk applications those laden with many vulnerabilities but not exposed to many users? … Or applications with only a few vulnerabilities but accessed by millions of users? … Though industry pundits debate, our Q&A with Major Bruce C. Jenkins, USAF (Ret.), Fortify Software’s managing consultant, reveals a clear answer that just might redefine “high risk” for some. Edited excerpts follow.

VME: To start with, can you familiarize readers with Fortify Software, your role there, and your experience with security in the USAF?

JENKINS: Fortify is a software assurance and security provider enabling customers to reduce business risk by helping them identify and remove vulnerabilities from their existing applications and prevent the introduction of new vulnerabilities from their in-house development processes or through vendor procurements. I support this effort in Fortify Global Services by helping customers to identify that business risk and establish an approach to effectively manage it. Prior to joining Fortify, my first real experience with security began in 2004 while I was a U.S. Air Force communications squadron commander in Kuwait. It was there that I managed all communications and supporting infrastructure.

Following my experiences in Kuwait, I was part of a crisis action team that was tasked with identifying improvement areas in software security policy and process. This was necessary after discovering that one of the USAF’s human resources systems was compromised, and 33,000 personnel records were stolen. Thereafter, I led a pilot program to evaluate static analysis products. Those latter two security experiences gave me the perspective necessary to develop a framework for what has become the USAF Application Software Assurance Center of Excellence (ASACoE).

VME: You’ve said that “paranoia is a perfectly legitimate state of mind” in regard to the Internet and security. What do we have to be afraid of, technically speaking?

JENKINS: Technology in the hands of a twisted mind will be used to do harm. Spyware, rootkits, botnets, cross-site scripting, and SQL injection flaws all are ways to get at what you have that the bad guys want: data. If you have no idea about any of this stuff, then exercising a bit of paranoia or “extreme caution” is in order. Some estimates are that 80 percent of home computer users have spyware on their systems. If you feel that you are “safe” because you employ endpoint security on your home computer (antivirus, for example), your guard will be down and you will be compromised.

VME: In your military experience, you commanded a communications unit supporting 3,000+ international and U.S. forces in southwest Asia. Which technologies were most needed but not available then? Which do you think are most needed to win today’s wars, say in Iraq or Afghanistan?

JENKINS: I was stationed in Kuwait from January 2004 through April 2005. We generally were never wanting for technology solutions. If we needed something to complete the mission, we justified it and then acquired it. What would have been nice then, but simply was not available, is bandwidth. Network bandwidth was a rare commodity in southwest Asia. We had enough to carry out the mission, but a couple extra megabits of throughput for morale use would have been nice.

And I would say that bandwidth – via secure, available, and reliable networks – is critical not just for Iraq and Afghanistan, but for all warfare employing modern technologies. Partially maintaining command and control via carrier pigeon was effective during WWII, but today’s wars – and likely tomorrow’s – make full use of big pipes to carry the audio, video, and data of the front lines to the decision makers on the other side of the globe.

VME: Regarding software security, which applications are most at risk? Why?

JENKINS: This may sound flippant, but those applications most at risk are those that are exposed to the possibility of attack. Some might argue that high-risk applications are those with vulnerabilities that are readily exploited, but in addition to containing vulnerabilities, an application must be exposed. My point is, a software application that is riddled with vulnerabilities but is otherwise inaccessible is really not at risk and should be of little concern. Conversely, an application with only a small number of vulnerabilities but exposed to millions of users is high risk. If an organization relies on this application, or if an application contains sensitive data, then this is an at-risk application that should be considered for evaluation and remediation.

VME: How much do you predict cyber attacks will increase in the next 5 to 10 years?

JENKINS: If I knew precisely what that quantification looked like – mathematically – and I could use that and other data to make such a prediction … I’d have done the “Oprah” show a long time ago. But seriously, assuming that (a) there always will be some people who will do bad things, (b) the number of systems plugged into the Internet will continue to grow with each passing year, and (c) systems managers still think that software security is a problem that only the “other guy” needs to worry about, then attacks will increase. The real issue isn’t that attacks will continue to rise, the real issue is that too many companies still rely much too heavily on traditional perimeter defenses when the real problem is the software.

VME: Some software developers are focusing on EAL robustness certifications. Do you think it’s necessary for all software products to achieve those levels of security?

JENKINS: While there is some usefulness in having so-called independent third parties certify or verify software systems, whether or not it is necessary can, in my opinion, be boiled down to two points: First: Is this something that your customer is demanding? And, second: Is it economically feasible? If the answer to both questions is a resounding “yes,” then it should be done.

However, when that’s not possible, certainly other effective means exist for ensuring – or “assuring” – software security. These include instituting a secure development life cycle through policy and various tools such as software security products, tactics such as scanning source code and fixing vulnerabilities before check-in, and techniques including establishing and then following secure coding guidelines by way of corporate policy.

VME: What will be the most pivotal new technologies in the embedded software industry within the next five years?

JENKINS: In the next five years we’re going to change our definition of embedded software. It used to be that the code running on your cell phone was embedded software, but now you download apps from the Apple Store. As our embedded systems become more connected, that’s going to happen more and more. A little further down the road, Software-Defined Radio is going to change the world by connecting all of the devices that haven’t already been attached to the network.

VME: What are the dangers for governments when using open source software? What is the best remedy?

JENKINS: When people hear the phrase “open source,” they tend to focus on big-name projects such as Linux and Firefox. The truth is that there are thousands of smaller open source projects out there, many of which solve smaller programming problems. Programmers can get a real productivity boost by incorporating open source, but the downside is that the software consumer now has a supply chain problem: They don’t know where their code really came from.

When you go to the grocery story and buy a banana, it comes with a sticker that tells you where it was grown. It’s hard to do the same with open source software, and that makes software hard to trust. The remedy is a more disciplined approach to creating software. Software providers – whether they are charging for their software or not – have to understand and control their supply chain.

Bruce Jenkins is a managing consultant at Fortify Software Inc. Before joining Fortify, he was an Air Force major and chief for the United States Air Force, where he was responsible for heading the establishment of the  Application Software Assurance Center of Excellence (ASACoE) – with the aim of preventing compromises of Air Force software applications and providing thought leadership and change management in how the Air Force develops, acquires, implements, operates, and maintains its software. He can be contacted at bjenkins@fortify.com

Fortify Software 650-358-5600 www.fortify.com