may the force be with you

When BlackBerry maker Research in Motion Ltd. developed software in the past, its engineers worked quickly to meet deadlines, sometimes overlooking bugs that were caught later in the process. The result: when issues cropped up after a program had been built, it took immense time and energy to trace its roots.

RIM wasn't alone. Many companies rushed to beat rivals with new software, and checking for bugs that could later be exploited by hackers was often seen as a waste of time. That has begun to change in the past few years as new laws force the disclosure of security holes and breaches, and companies increasingly interact with customers through the Web, a front door for threats. Now, many companies, including RIM, are teaching programmers to write safer code and test their security as software is built, not afterward.

While the BlackBerry had escaped serious scrutiny for security holes, Herb Little, a RIM security director, worried the company hadn't paid enough attention to the software that runs on the BlackBerry and other devices. "The idea was that we could be doing more," says Mr. Little, who is based at RIM's Waterloo, Ontario, headquarters. "We had to raise the bar."

Mr. Little soon discovered Coverity Inc., a San Francisco start-up that sells tools to automatically check for software flaws. Now Mr. Little uses Coverity every night to scan the code turned in by engineers. The tool sends Mr. Little an email listing potential red flags. He figures out which problems are real and tracks down each offending programmer, who has to fix the flaw before moving on. Mr. Little has also ramped up security training and requires programmers to double-check each others' code more regularly.

Software vulnerabilities throughout the industry have been on the rise: in February, for example, the U.S. Computer Emergency Readiness Team, a government organization, pointed out a flaw in Apple Computer Inc.'s Safari Web browser that could allow a hacker to take control of a computer by persuading a user to view a specially crafted Web page. Overall, Symantec Corp., a Cupertino, Calif., maker of security software, found 3,758 vulnerabilities in software last year, up 42% from 2004.

In effect, software makers are now admitting that their previous development process was faulty. While banks and other companies that deal with sensitive customer data began to build security into software development in the late 1990s, Microsoft Corp. and other software makers are only now in the middle of revamping their software-writing processes. In recent years, Microsoft says it has added controls that force its programmers to write better code before they can add it to the main program they are building. Several years ago, Microsoft also bought Intrinsa Corp., which made tools that allow programmers to find and fix bugs while they write code.

Bruce Bonsall, chief information security officer at Massachusetts Mutual Life Insurance Co., likens the new approach to fixing a plumbing problem while a house is being constructed, instead of waiting until afterward. "If you wait until your house is completely built to fix the plumbing, you're going to have to rip out the walls to do it," says Mr. Bonsall.

Revamping the software-development process creates a Catch 22: being more careful can mean missing deadlines. Microsoft, for instance, said last month that it will delay the launch of its new Windows Vista operating system to spend more time testing security and other "quality" issues. That news prompted UBS AG analyst Heather Bellini to lower her sales forecast for Microsoft's 2007 fiscal year by $112 million to $50.2 billion. The stock price fell 2% the next day. Ms. Bellini has since lowered that forecast to $50 billion, for separate reasons.

At some companies, deadlines still trump secure code. But things are slowly changing, which creates an opportunity for Coverity, and a handful of other start-ups such as Fortify Software Inc., Ounce Labs Inc. and Klocwork Inc. These companies make tools that dig into software during the development process, automatically scouring lines of code for common mistakes that a hacker could exploit. In a research note last month, Gartner Group analyst Amrit Williams said software makers that perform security code reviews experience a 60% decrease in critical vulnerabilities that make it into programs.

Venture capitalists have already poured tens of million dollars into this market. Ted Schlein, a partner at Kleiner Perkins Caufield & Byers, a Menlo Park, Calif. venture-capital firm, came up with the idea for Fortify four years ago. Mr. Schlein, a former Symantec executive, saw that software makers were becoming more concerned about improving security but lacked tools that could do so quickly and automatically. Fortify, Palo Alto, Calif., has since raised $24 million in funding from Kleiner Perkins and others over the past three years. While the company initially struggled to convince customers that its tools were worthwhile, several companies including Oracle Corp. have now signed up for Fortify's tools, which cost more than $100,000.

Adobe Systems Inc. is one Fortify customer that is now altering the way it tackles security. Two years ago, Macromedia Inc., now part of Adobe, hired Adrian Ludwig, a former security consultant, to revamp its software security approach. Several security issues had been exposed at the time in the company's software, including a vulnerability that a hacker could use to sneak malicious code on to a PC through Macromedia's Flash Player.

Since then, Mr. Ludwig has adopted Fortify software and improved communication between his team of security experts and programmers who write software. A few years ago, each group worked more or less separately: The programmers coded, then the quality-assurance team checked for mistakes. Now, programmers and security types often sit side by side at a computer, sometimes lobbing pieces of code back and forth several times a day until they believe it is airtight. The result: "Issues are being found earlier," Mr. Ludwig says. But, he adds, "I'm still trying to shift that curve."

source:http://online.wsj.com/public/article/SB114670277515443282-B59kll7qXrkxOXId1uF0txp8NFs_20070504.html?mod=blogs

# posted by dark master : 5/05/2006 09:49:00 AM