Security manager's journal: Keeping in-house code safe

Our manager's company has shockingly little oversight on the security of software code written for it by third parties.

We have a major problem, which explains why I'm sitting in an airport right now. I'm heading off to visit some third parties that develop portions of our software for us.

Trouble Ticket

At issue: A third party's software code unleashed malware.

Action plan: Look at the entire software development process and incorporate automated checks of source code.

The problem is that some software we recently developed in-house was infected with malware, and the source of that malware was traced back to a third party's code. We were fortunate that the malware was pretty well contained, but the fact that this could happen at all raises questions about the security of our methods.

After I heard about this incident, I started looking into my company's software development life-cycle (SDLC) process, which is meant to help us develop systems in a very deliberate and structured manner. To my mind, any SDLC that doesn't include taking sanity checks on security isn't worth much. And upon investigation, it was painfully obvious that we lacked robust security sanity checks for third-party code. Apparently, assumptions were made and we ended up with verbiage in our contracts that said it would be the third party's responsibility to verify that all code was free of security bugs and other potentially threatening anomalies. Assumptions about security always make me wince.

In my meetings, I want decisions made on roles and responsibilities, expectations and methodology. Of course, I don't expect developers or quality assurance engineers to manually review source code, so I expect to invest in technology that will help in this analysis.

As I prepared for this trip, I started looking into the technologies that are available in the marketplace for this sort of automated code vetting, and my initial investigation has revealed that several companies offer such tools. There are products that would reside in-house, or we could go with a software-as-a-service option. At this early stage, I find the SaaS model intriguing, since my company has a Web-based collaboration tool that allows third parties to submit code for incorporation into our homegrown software.

One question we will have to answer is whether we want to burden the third parties with the responsibility of doing the analysis or conduct the analysis ourselves. Burdening the third parties may hinder innovation. Doing it ourselves will add to our overhead.

Dynamic or Static

My research also taught me about the approaches that are available for code checking. There are two principle ways of doing this: static and dynamic. With static analysis, the raw source code is reviewed for indications of poor programming practices that could lead to a security incident, such as leaving sensitive information in the comments of the code; not conducting bounds checks, which can result in buffer overflow attacks; and lack of input validation, which may lead to SQL injection attacks. Dynamic analysis is more, well, dynamic. In a dynamic analysis, you actually attack the compiled application and look for indications that it's susceptible to exploitation.

One constraint for us is that we'll have to find a product that maps to all the programming languages we use; we don't want to have to invest in multiple products to cover everything. And we'll have to review the license model, the support structure, the reporting mechanism and overall flexibility when it comes to incorporating the product into our various SDLC processes. In addition, I'll want the ability to audit and govern the process if necessary.

Security Blog

Join In

Share your thoughts and ideas about security in discussions with fellow IT pros at Computerworld.com/blogs/security.

After my travels, and no doubt a lot more meetings, I'll formulate business requirements and draw up process documents. I don't imagine this will be an overnight change, but given the risks, there will most definitely be a change.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitydata protection

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mathias Thurman

Computerworld (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?