Bugwatch: Security starts with developers

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Peter Varhol, product manager at Compuware, considers how application developers can make life harder for hackers by making security a priority when writing code.

We've all seen the stories about hackers penetrating the systems of some of the world's largest organisations. Illegal access to private and financial data affects us all, with hackers finding new vulnerabilities in the software applications we use every day.

Most IT managers will have had to deal with the problems that such hacking creates by patching applications for protection against them.

But what IT professionals should really be doing is stopping hackers from compromising the security of business applications in the first place.

Developers can make life much more difficult for hackers by making security a priority when writing code.

Secure code requires extra effort, along with a detailed knowledge of likely vulnerabilities. There is no silver bullet available for identifying and addressing these automatically, although help is available in several areas.

Since applications are made up of thousands of lines of code, the coding process is the obvious place to start addressing security.

It is also the cheapest place to make changes (the later on in the application life cycle the higher the cost), and the developer is well placed to identify potential flaws.

But writing secure code isn't as simple as it sounds. You need to consider the various nuances and side effects of the algorithms and constructs used in the coding process.

A good way to overcome this challenge is to implement automated code review processes. A comprehensive automated code review is a necessary first step, because without it you simply cannot judge how secure the code within an application is.

Developers also need to consider security at runtime. As people use applications different parts of the software are executed. Developers need to analyse how memory is used in this execution to see if any vulnerabilities are created.

Finding these weaknesses means going over every line of code, listing every declared variable, determining its allocated memory, and inserting error-checking code.

Apart from the time and expense involved, vulnerabilities are difficult to find when an application has to carry out millions of memory allocations and de-allocations during its lifetime. So developers need to find ways to automate this process so that errors and vulnerabilities are detected at runtime testing.

Data passing between components in an application is another danger area. Though developers may believe that data within an application is secure, a virus or hostile program can find opportunities to attack or compromise even here.

To identify these vulnerabilities after the application is complete, developers should look at how data moves about inside the application. Some form of distributed analysis can help you to do this by identifying unencrypted data passing between application components.

By putting in place some of these measures developers can enhance the security of their applications without compromising usability.

Although it is impossible to deliver completely hack-proof applications, the above measures should make hacking harder. This should result in potential hackers moving on to target a less secure application or, failing that, make it easier for the IT department to spot hacking activity before any damage is done.

It should be remembered though that in today's complex technical environments, keeping track of every possible security loophole is a time-consuming process.

So developers need to automate much of the analysis required to ensure the organisation has the best chance of foiling the attempts of the thousands of hackers out there.