Monday, 12 January 2009« Reality Check | Main | Voting, Three Months Later »
Over the last few months I have worked with a group of software security experts to develop the CWE/SANS Top 25 Most Dangerous Programming Errors. Working on this project has got me thinking about a key point that we make in Secure Programming with Static Analysis: Most of the people who build software are focused on things other than security (writing code, running test cases, deploying applications, and so on). These people are making security-critical decisions on a daily basis, but they can't afford to become security experts--they've got other things to worry about.
Security is a complicated field and we can't expect everyone to become experts. Software developers and architects, quality assurance testers, and operations engineers all have a wide range of responsibilities. As an industry, our best chance to develop secure software is to get non-experts making meaningful contributions.
We must enable non-experts to get security right. This means arming them with the right processes (building security into the software development lifecycle from the ground up), skills (teaching people to ask "What could go wrong?", not arcane security specifics), and tools (deploying static analysis in development, runtime analysis in QA testing, and active defenses in deployment).
The winds of change are blowing in the right direction. Top universities across the country are beginning to offer courses that either address or focus entirely on software security. Fortify currently works with over 50 universities by helping them incorporate software security into their course offerings and by granting them unrestricted academic licenses for classroom and research purposes. This offer is open to any college or university who wishes to participate.
Despite a sunny outlook, most people building software today have received no formal training on software security. Projects like the OWASP Top 10 and the CWE/SANS Top 25 focus attention on the problems that are causing the most pain, serve as fodder for training programs, and generally increase awareness among non-experts. Let's hope that projects like these continue to carry the banner for software security into the 21st century.