I don’t have a fancy car by any means but the one I do have is zippy and reliable. Shocking, considering that I am only reactive when it comes to maintenance and inspection. And while I know very little about cars to begin with, sometimes I try to evaluate for myself how critical it is that I obtain such necessary inspections. One can only imagine the car chaos that creates in my life.
Thankfully, most people are not like me – at least when it comes to vehicles. What about when it comes code? Yesterday, in his talk “Your Car Has Passed Inspection… But What About Your Software?”, Veracode CEO Matt Moynahan discussed how vendor self-certification and code audit is not enough to help protect against software security vulnerabilities. He issued a call to action for the software industry to require independent assessments – while simultaneously pointing out the current pitfalls in the industry that make this tough (lack of metrics, time consumption of manual code reviews and lack of vendor motivation).
While it’s not surprising that a leader of a vendor that helps companies evaluate and quantify their code bases suggests third-party software inspection, this call to action was bigger than Veracode. While his company might be the right one to take the lead on such action, what Moynahan proposed is an industry standard that requires the ability to quantify security risk for individual based on mission criticality. A Moodys for software, perhaps, that bases its independent assurance on industry standards (CWE, CVSS, NIST) and provides testing for both pre-deployment and deployment phases. This would require the both code providers and their customers to start demanding such inspections.
“Vendors need to take a pragmatic approach,” he said. “Prioritize your application security testing program based on the criticality of your applications.” He urged vendors to work collaboratively with their extended supply chains to promote application security – for the betterment of both developers and software buyers.
While I’m still learning about code audits and how applications are built, Moynahan certainly motivated me to do one thing – hand over responsibility of my vehicle inspections to someone more qualified. Perhaps the software industry could follow my lead.
- Jennifer Leggio
