Making attacks more difficult and costly to carry out may be a strategy that begins with improving the security skills of software engineers, according to an application security organization that is launching a new training series this week.
The Software Assurance Forum for Excellence in Code (SAFECode), which is being led by security industry luminary Howard Schmidt, will kick things off with the release of six training courses that focus on basic Web application security flaws, password security and malicious code injection. Schmidt, the former White House Cybersecurity Coordinator, told CRN that the series goes to the core of most data breaches and the security problems most enterprises face. "This is aimed at anybody that does development work because their core competency may not be secure software development," said Schmidt, who serves as executive director of SAFECode. "We know that the vast majority of successful intrusions are based on vulnerabilities, so it means we should focus on the bad actors by making it more costly for them to do business."
The initial launch of the SAFECode courses include training manuals and free Webcasts published under the Creative Commons license so they can be easily shared by the software development community. The program materials were built from Adobe's internal software security curriculum. A consortium of security experts reviewed the program, reworking it to fit a broad set of organizations.
The video series being launched on Tuesday will address SQL injection, a commonly targeted Web application vulnerability, as well as cross-site request forgery, a dangerous coding error that enables attackers to pose as legitimate site users. Schmidt called the initial courses the first building blocks to get software developers to hone their skills.
"Every organization has a specific culture and set of processes so we hope they can pick training that can supplement what they're doing and establish a stronger culture of security among their software developers," Schmidt said.
Some experts believe organizations should set out try to fix every bug, but a better approach to making software safer is to study exploit tactics and understand the steps that the bad guys take to create a functioning exploit, said Brad Arkin, a software security expert who spearheaded improvements to Adobe's software security program. Arkin, who is now chief security officer at Adobe, has been a vocal advocate for figuring out how to drive up costs for malware authors.
"We're not just trying to find and fix all the bugs, but we're trying to build defenses in place that make any bugs we haven't yet found and fixed, harder to exploit," Arkin said. "Without changing the code at all, you take that exploit-authoring process and make it more difficult and that, for me, is the real focus of the work we do at Adobe."
SAFECode has released a series of software security papers on software integrity and security training for software developers. Other organizations that participate in SAFECode include EMC, Juniper Networks, Microsoft and Symantec. Software security experts at each organization created a framework in 2009 for internal security engineering training. While software security training is difficult, organizations of all sizes may be able to use some of the principles of the framework to make improvements, Arkin said.
"We're focusing on what is being done in the real world with all of the member companies," Arkin said. "We talk about what consistently works for each of us in our different environments, and we're trying to capture that so the rest of the world can see it."
PUBLISHED MAY 13, 2013