As security awareness rises and users realise that paying for security today is better than risking business failures, thanks to security failures tomorrow, the practice of secure coding is being increasingly followed in global as well as Indian software firms. Srikanth R P reports

Gaurav Verma feels that Oracle has the confidence to take on the ‘unbreakable’ tag since it has implemented extremely tough security measures in its products

Time-to-market is perhaps the most important factor for a software company developing a product or delivering a service. The longer the time it takes to get the product/service to market, the greater the chances of someone else beating you to it, technology obsolescence, or increased costs that make for reduced margins. The end result is that in the rush to meet deadlines, software code security testing is mostly overlooked.

Most users of commercial operating systems and software hardly know anything about the vulnerabilities in the software till they read headlines in the media about some security hole that has caused havoc, or worse if their own security is compromised, thanks to any such hole. The vendor then goes into damage control mode and makes the usual noises and releases a patch with a promise that the hole will be fixed in the next release.
Administrators have to be on constant alert to daily or weekly announcements and then download and install patches to overcome vulnerabilities in their networks. And then of course, the security awareness that has increased after 9/11. Security is suddenly under the spotlight.

All this simply means that while previously a US company rarely examined the security practices of the offshore firm it was outsourcing to, recent trends show a major change in mindset. While secure coding as a practice was rarely adhered to in software development, incidents like the Nimda attacks, which exposed vulnerabilities in software causing losses in terms of millions of dollars, have forced companies to insist on secure coding practices.

Why secure coding?
In the early days of the software revolution, most software developed was used for internal use and deployment, and external security was hardly an issue. But today, with most systems connected to the Internet, the need for external security is suddenly real. When a company has its software produced in an overseas development centre, it defines the performance requirements and the timeframe within which the software has to be developed. While clients spend thousands of dollars on testing software applications, rarely do security departments inspect the code for trojans, viruses or embedded Easter eggs (codes that can activate unspecified activities).

Disturbing trends
A look at some statistics throws up some interesting facts about losses due to vulnerabilities. CERT, a firm that researches global Internet security vulnerabilities and publishes security alerts, says the number of publicly released computer security vulnerabilities doubled in the last year. The number of holes or bugs found in software increased from 1,090 holes in 2000 to 2,437 holes in 2001. The number of incidents caused due to these vulnerabilities more than doubled in 2001, from 21,576 cases in 2000 to 52,658. Cigital estimates losses of over $3 billion due to software vulnerabilities last year. In a survey by Computer Society Institute, 186 companies reported a financial loss of $3.8 million last year due to system exploits.

Adds Rajat Mohanty, CEO, Paladion Networks, “Today a majority of intrusions takes place by exploiting vulnerabilities in software. Software defects can cause a program to abort, resulting in denial of service to end-users. The onus is on the vendor for assuring the security of a product. This is seen by the fact that consumers are increasingly demanding that software vendors be held responsible for security vulnerabilities of their products. For this, security should be incorporated at the design stage and application testing for security should be undertaken before a product release.”

Other analysts agree that improving software security quality addresses the source of many vulnerabilities, whereas applying procedures and patches after exploits are discovered merely addresses the symptoms.

Paladion’s Mohanty sees a booming opportunity in consulting services for reviewing design and integrating security into applications

Global leaders show the way
This trend is seen by the fact that software biggies like Oracle and Microsoft are taking the lead in making their software packages secure, or in Oracle parlance, ‘unbreakable’. Both the majors are taking extensive steps to incorporate security in the design phase of software. This includes choosing technologies and protocols that are resistant to attacks and ensuring that all data is properly encrypted. For example, Oracle has an in-house hack team that tests their software for vulnerabilities, if any.

Explains Gaurav Verma, marketing manager, Oracle 9i, Oracle India, “Oracle has implemented the toughest security measures in its technology since a very long time. We realise that today’s software solutions work on a multi-tier architecture and hence there are multiple points at which security needs to be built in. Oracle 9i for example prevents data capture as it is transmitted across the network. Be it e-mail, sales forecasting, marketing or support—all our applications run on a single clustered server and are made accessible over the Web. This ensures that administration of user IDs, privileges and mailing lists are managed at only one location thanks to which strong security, availability and performance can be maintained.”

The importance of security in software in recent times can be gauged by the fact that Oracle has made the ‘unbreakable’ tag into a marketing statement, which is a reflection of a big change in the mindset of the industry.

Microsoft, known to be on the other side of the fence and the taunt of many jokes for its buggy software, has also taken a serious effort to make its software more secure. For example, chairman Bill Gates recently released a memo titled ‘Trustworthy Computing’ to all MS software programmers, stressing on availability, security and privacy. The memo emphasises two critical elements—training developers in the latest secure coding techniques and architecture redesign around .NET. It is rumoured that Microsoft had sent around 7,000 programmers for secure code training in February 2002. The principal aspects during training are checking each input for validity and ensuring that the software programs abort in safe mode, cleaning up all raw data.

Microsoft has also taken the lead in supporting security standards like Kerberos and PKI certificate as part of Windows 2000 server. Adds Daniel Ingitraj, senior marketing manager, Microsoft India, “A lot of work has to be done before we reach a place where people inherently trust their computing systems. But it is crucial that we work together as an industry to address this issue. For example, with IBM, we have jointly taken the lead in founding the Web Services Interoperability organisation. One of its goals is to develop implementation guidelines that will enhance the trustworthiness of XML-based Web services.” Additionally, Microsoft is putting more than 8,500 Windows developers through a training course on advanced security programming.

Following the training, these programmers will begin an intensive review of the Windows source code to put the training into action. Ingitraj believes that this review will herald a new change that will infuse security into every aspect of the development process, much like quality control was infused into the manufacturing processes of companies in the years after World War II.

Patni’s Dhanuka feels that in the years ahead there will be separate clauses in contracts, making risks due to insecure software a liability of the software vendor

The Indian revolution
While products with bugs are released even today, mostly driven by a competitor’s schedule or internal marketing efforts, there has been a quiet and serious effort by even Indian pure-play software companies like Infosys, HCL Technologies, Patni, ICICI Infotech and Wipro to ensure secure coding practices.

Indian software companies who boast of their quality certifications are now actively looking at bringing in the security aspect too as part of their domain expertise. For instance, some are working on securing some basic design flaws like lack of user input checks. Explains Mohanty, “Buffer overflow attacks are the most common Internet attacks and are also the oldest known attacks (first was the Morris worm in 1988). This happens when a user provides an input much longer than what the program had intended. This longer input floods the memory buffer and overwrites program instructions. So, the program instead of executing the normal instruction will execute the user’s instruction. The user can do anything with the system this way, including taking administrative control.”

One more basic design flaw is that most applications have weak authentication and encryption. This means that most applications lack password policies or controls that would have helped lock out would-be intruders trying to brute-force the login process. Also, most often applications permit user passwords to travel over the network unencrypted where they could be easily stolen.

While most Indian software companies still do not follow international standards for security like OWASP (The Open Web Application Security Project) or the ITSEC (IT Security Evaluation Criteria)—a majority of them have taken the best practices on security from these developing standards.

For example, ICICI Infotech has taken a series of initiatives to make its software code more secure. Explains Manoj Kunkalienkar, joint president, ICICI Infotech, “Besides referring to international standards like OWASP and ITSEC, we have maintained an extensive repository of security lapses scenarios and associated codes to take care of while developing code. We also ensure that the software developed is capable of supporting encryption standards and digital certificates.”

Another software major, HCL Technologies, as part of the quality practices that exist at SEI CMM Level 4 and 5, tests the common causes for a security hole to creep into the system. Explains a company spokesperson at HCL Technologies, “We take a conscious effort to test our code for buffer overflow. In addition, potential flaws are identified through code walk through and various debug tools are used to track potential problems in the final product. Our belief is that rather than fixing security loopholes in a fire fighting mode, which is the prevailing trend, this should be built into the system right from conceptualisation and design through development and testing.” Mumbai-based Patni also uses secure programming standards in all its projects. For Web application development projects, the company uses OWASSP standards.

Hindrances
The only hindrance in adopting international security certifications is the fact that most of these certifications are still evolving and hence it is prudent for companies to take only the best practices from each of these certifications. Agrees S V Nagraj, research associate, Infosys, “As there is no definitive standard yet, it is difficult to follow any particular international standard. However, we hope that guidelines from ISO, SEI CMM, TCMM and ITSEC will be made essential in adhering to basic principles of secure coding. Also, major software developers in the US have started focusing on security while developing products. It is only a matter of time before Indian companies follow suit.” While each and every software company that Express Computer spoke to did agree that secure coding as a practice is here to stay, most of them were doubtful on secure coding being made mandatory as it is difficult to check if secure coding has been used. Adds Dilip Dhanuka, general manager, product and technology initiatives, Patni, “Going forward, we believe that there will be separate clauses in contracts making risks due to insecure software a liability of the software vendor.”

Opportunities
Looking at the increasing trend of US companies insisting on secure coding practices, independent consulting companies like Paladion Networks are looking at grabbing a piece of this market that is just beginning to explode. Paladion offers services like software design review and security integration, application code testing and post-deployment application audit and security testing. In 2001, leading software vendors spent more than $8.4 billion on application design and construction tools, while total spending on application security tools, training and consulting was around $60 million. The market for application testing post-deployment is larger, accounting for over $200 million in 2001.

In India, the market is nascent and estimated to be close to Rs 50 million. Adds Mohanty, “The market is expected to grow rapidly in two areas—consulting services for reviewing design and integrating security into applications; and in testing the application either pre-release or post deployment. Training for secure programming will be the third area, specially for companies with large sets of coding professionals.” But it is expected that as secure coding practices are made mandatory, the Indian market too will adopt secure coding practices in the manner it is adopting quality certifications.