By David Braue
13 February 2006
Every software developer likes to believe he or she is committed to
application security -- but senior managers need to put their money
where their mouths are to turn security rhetoric into action, a senior
development manager at Oracle Corporation has told more than 200
delegates at the SECURECon security conference in Melbourne.
As senior principal program manager with Oracle, Evelyn Sell's role
includes the supervision of part of Oracle's massive fleet of
developers. In her experience, a variety of common and preventable
factors -- ranging from developer laziness and ignorance of security
issues, through to a lack of developer accountability, expectations
that coders produce large volumes of code to strict timelines, and
overall time-to-market issues -- often cause the security problems
that explode into much bigger issues when they're let loose into the
Particularly in companies producing commercial software, blame can be
traced to managers that maintain high expectations of coders but don't
provide enough training to ensure adequate application security. "I am
blown away by the billions of dollars that is invested in security
[fixes] for something that really should be second nature," Sell
explained. "It's very important to build in security up front."
Once code is complete, fixing the problem can often be much more
difficult -- and far more expensive -- than getting it right in the
first place. Customers build their own code on top of platforms like
Oracle's database and business applications, and even a small security
fix can potentially break all sorts of related, interdependent
applications. That means security remediation must involve slow
movement and extensive testing -- something, Sell admitted, that can
be hard given commercial pressure to get products or bug fixes out the
Sell described Oracle's four-pronged secure development strategy,
which is encompassed in a "large, living document" that is constantly
upgraded with new knowledge gained from the company's many development
Regular analysis of the document reveals common themes that drive
future investment. For example, Oracle recently responded to a
perceived lack of security coding skills by introducing several
mandatory online training modules on secure coding practices;
developers that fall short of the 80 percent pass mark are reported to
managers for more intensive training.
The company also uses a formal product security checklist that is
regularly reviewed and used to drive frequent development team
meetings. Prescriptive lists of acceptable tools, for applications
such as cryptography and random number generation, aim to keep
developers from rolling their own or using insecure code from
elsewhere. An internal 'tiger team' of security experts constantly
pounds Oracle code to identify potential problems before the code
This may all sound like a bit much to organise for many managers.
However, attention to the other presenters at SECURECon would quickly
disabuse complacent managers of the idea that security is optional.
Presenters at this year's conference -- the fourth in the Melbourne
University-organised event's history, combining two days of
presentations with a full day of hands-on 'hackathons' -- discussed
both the security of various common technologies, and how to bypass
Security specialist Chris Spencer highlighted techniques for
exploiting buffer overflow problems in Windows, as well as discussing
ways to circumvent buffer overflow protections built into Windows XP
SP2. Microsoft IT Pro Evangelist shared techniques for hardening
Windows Server 2003 SP1, while penetration testing expert C=E9dric
Blancher highlighted the inherent lack of security of most WiFi
networks and devices.
Other sessions delved into security in Mac OS X, Cisco routers, Unix
servers, Apache Web servers, digital rights management (DRM)
technologies, and identity based user authentication. Well-known
US-based IBM developer Wietse Venema discussed his development of the
secure and widely used Postfix e-mail server.
Although primarily intended for developers, the content of SECURECon
nonetheless resonates for all business managers. Ultimately, they need
to understand that code security must trump even commercially imposed
deadlines; one major release of Oracle software was held up for more
than two weeks while developers resolved a bug they'd identified.
That's the kind of delay that gives marketing executives palpitations,
but Sell believes that it's ultimately easy to argue the value of good
security in terms even managers understand.
"All you need to do is show management the fallout line and let them
know what [less than optimal security practices] are actually costing
them," she said. "This is a small expense compared with the millions
of dollars each individual security bug can cost a company. When you
talk about the bottom line, all you really need to do is to show
management how much less it would cost if they can drop the number of
security vulnerabilities shipping in the products."
InfoSec News v2.0 - Coming Soon!