Creating Secure Software Requires More Than Just Motivation n1shopsu, YALELODGERU
Email address is not displayed with comment.
Name is required to post a comment
Please enter a valid email address
Remember the early days of software programming? There were stories about the solitary programmer, toiling late into the night, (and into the next days and nights), working until the creation was complete. These images were corroborated by people such as Shawn Fanning, the creator of Napster, and Mark Zuckerberg, the creator of Facebook. They had more than a mission; they had a vision, and unceasing motivation.
Software development has come a long way from those “lone wolf” days. The alumni of those early days have gone on to greater tasks. While the motivation to create a great software product has not waned, it has become more formalized and legitimized. Motivation became married to discipline. Within this discipline, security has been added as a key component of the software development environment. In order to further the commitment to security in software development, an increasing number of software developers have taken on the challenge of achieving the Certified Software Security Lifecycle Professional (CSSLP) designation offered by (ISC)².
Many early software endeavors demonstrate the failures of good planning to connect motivation to direction. In some of the more egregious examples of poor planning, security was left in the realm of strictly technical aspects of network architecture. This is borne out when speaking with some of those who hold the CSSLP designation .
As stated by Santosh Kumar, “In general, the myth has been that having a firewall would address both the infrastructure and application/product lifecycle security. However, it didn’t take long for software houses to realize the importance of product lifecycle security.”
This sentiment is echoed by Jon Bentley, upon discovering a flaw that “allowed a server to literally output full text of everything that went through the application loaded onto it. The security impact of this software defect was that the appliance had a physical port that transmitted this data without any form of access control. So, an engineer or someone else in the hosted data center could plug in a serial connection and set up a TTY session and receive all of the information without the need for credentials.”
These are only two examples of where the motivation to create a functional piece of software fell victim to security neglect.
Software security failures can sometimes seem to be just a small, overlooked detail, yet the implications can be enormous.
Dr. Patrick Eulogius Yau relates an experience in which he discovered a “system password (root with super user access privileges) was not encrypted, stored in a plain text file, and installed on a person’s computer. Luckily, this was discovered during a system pre-launch review of the IT application system.”
Tim Reisch shared a similar experience, discovering “hard coded, backdoor passwords on control systems that could be accessed via the internet, by anyone.” When speaking with software security professionals, stories about poor password handling are ever-present.
It is easy to understand that security was once the sole responsibility of the infrastructure team, however, Brian J. Barber recounts an interesting anecdote whereby…
“Many industries believed that cybersecurity – in particular, software assurance is accomplished through paperwork or documentation. A widely held thought process was that security was the final checklist to review as an addendum to other forms of acceptance testing. Unfortunately, this approach has led to overwhelming amounts of technical debt that is costly to resolve – that is best case-scenario.”
It is easy to take the approach that a person doesn’t need a certification to possess specialized knowledge in a particular field. That is a convenient explanation for many, yet it falls short in the real world. Any bit of provable knowledge is better than the absence of that knowledge. Thinking of the CSSLP like any other credential, it adds credibility to your practice .
Cristián Rojas puts it succinctly: “The CSSLP credential gives me very deep knowledge in software security management. Now I can advise my clients on best practices in secure development and deployment, thanks to the certification.”
Jenelle Davis expands on this thought with “the CSSLP credential formalized and refined the software security skills I gained in practicum. However, the biggest benefit of the CSSLP is the framework it codifies which can be used to educate students and practitioners on the breadth and depth of software security fundamentals.”
Scott Brookhart takes this to a higher level, asserting that “the curriculum should be a part of all software development and computer science education.”
Credibility is not the only advantage to achieving the CSSLP designation. The enhanced knowledge servers many practical purposes as well.
Jim Rutt explains, “I’ve been able to work with numerous cybersecurity companies and share my knowledge in application security gained through the course of study, as well as applying the knowledge to properly assess new application security products and determine their efficacy and applicability to certain known issues.”
In a similar vein, Erez Pasternak points towards his 20+ years in the software development profession, adding “I have dealt with security-related tasks and learned about security, but the CSSLP credential provides a structured approach for dealing with security in all stages in software development.”
Nop Phoomthaisong packs a ton of wit into his brief statement: “The reinforcement of the certification gives immense contributions not only to the cybersecurity industry, but to our precious customers, which is the heart of any business.”
Are you considering studying for the CSSLP exam? The benefits of study alone are well worth the effort.
Alan Chan describes the completeness of the CSSLP Common Body of Knowledge (CBK) with the following insight: “The CSSLP domains cover every phase and aspect throughout the software development life cycle (SDLC), from defining the requirements, designing the software, through implementation and testing, ending up to deployment and ongoing maintenance.”
Thomas Jackson’s perception of the CSSLP combines both the benefits and the completeness of the certification: “One of the biggest benefits I say in gaining my CSSLP is the completeunderstanding of the lifecycle. I know it seems like a broad term, but in the context of cybersecurity understanding the lifecycle is everything.”
Read our eBook, The Art & Science of Secure Software Development , to hear more stories and words of inspiration from developers and security professionals who have gone on to achieve the CSSLP designation.