Many organizations creating security-critical code, especially those in the electronic commerce arena, have reputations to protect. Banks, for example, are reluctant to talk about security problems for good reason-bank customers expect their bank to have excellent security. No one wants to play Russian Roulette with his or her money (unless, of course, he or she is in Las Vegas). The same can be said of any organization that has essential information assets to protect. Strong security assurance practices can help.
The main objective behind software assurance is making sure that software does what it is supposed to do. Software assurance encompasses more than just security. The same core idea-making software behave-is deeply entwined with software reliability and software safety as well.
The most effective way to make sure your code behaves itself and does not introduce unnecessary risk is to practice sound software engineering. Following a reasonable development process is a good start. Begin with a problem-analysis phase that delivers both a set of requirements and a high-level specification. Develop a software assurance plan simultaneously, so that problems are identified and removed as early in the development life cycle as possible. The earlier you remove problems, the more money you save.
Unfortunately, many software organizations creating software for the consumer market have poor software development practices. Partly because of supercompressed development schedules, specifications are rarely created. Without a specification, it is not possible to undertake a proper security analysis.
Lack of a specification makes testing harder, too. There are two main constraints on testing in the real world: 1) Exhaustive testing is known to be impossible (one of the fun results of theoretical computer science) and 2) testing resources are always limited. This implies a direct need for ways to optimize testing and get the most bang for your testing buck. In terms of security assurance, a risk-based approach to testing is very cost effective. (See page 250.)
Automated tools and methodologies can help make software assurance more effective as well. The days in which software analysis and testing was a black art are ending. A number of technologies-for example, code coverage analysis-are entering the mainstream. Test tools can be just as effective for security analysis as they are for more standard functional testing, especially when they are wielded by security experts. Advanced assurance methodologies like software fault injection are also maturing into powerful tools [Voas and McGraw, 1998].
The best approach to security is to design security into a system instead of adding it later. The earlier in a development process that this can happen, the better. Risk analysis can be applied at all levels of the software process, from requirements to finished process. Together, risk analysis and testing for security result in a strong methodological approach.
Copyright ©1999 Gary McGraw and Edward Felten.