Secure at the Source: Implementing source code analysis in the IBM Rational Software Development Lifecycle

Document options Document options requiring JavaScript are not displayed Discuss Rate this page Help us improve this content

Level: Introductory

Claudia Dent, Senior VP, Product Marketing, Ounce Labs

15 Jan 2008

from The Rational Edge: Learn how Ounce 5 source code security analysis can be implemented in alignment with the IBM Rational Unified Process (RUP) as part of the IBM Rational Software Development Lifecycle, resulting in improved security and significant cost reduction due to the earlier detection and mitigation of software security threats.

From The Rational Edge.

Attend the Ounce 5 Webinar! See link at the end of this article for details.

This article discusses how Ounce 5 source code security analysis can be implemented in the IBM® Rational® Unified Process (RUP®) and IBM Rational Software Delivery platform, delivering a closed loop of discovery, remediation, and information dashboards, with the ultimate result of providing security governance for software development teams. The following topics are covered:

• Why source code analysis is important for software governance
• For each phase of RUP, the specific software security objectives and milestones that should be met
• A discussion of how the Rational Software Delivery Platform is integrated with Ounce 5 source code analysis, including integration into the nightly build and developer desktops
• How the integration of Rational and Ounce automates software security governance, enabling the team to more effectively meet project milestones, address regulatory requirements, and reduce overall risk

The importance of early security testing

A key dimension of software governance is ensuring that any software system delivered by an organization is secure. Primarily there are compliance and data privacy imperatives, where keeping customer data safe from insecure applications is a non-negotiable requirement. But instead of waiting for the completed application to be tested for security vulnerabilities, organizations are realizing that addressing security vulnerabilities as early in the software development lifecycle as possible can reduce overall costs. Many studies have shown that the expense of fixing a vulnerability after deployment can multiple the cost one hundred-fold compared to addressing the issue while the application is still under development. ¹

Automated source code analysis is widely recognized as the most effective method of testing security early in the life cycle, because it allows assessments of any piece of code without requiring a completed application. The best of these technologies provide the most valuable results by pinpointing vulnerabilities at the precise code involved, and detailing information about the type of flaw, degree of criticality, and how to fix it. Penetration testing is also an important element of software security, but its value comes later in the life cycle, when it can be used on a completed application with a functional interface. According to a recent Gartner report:

Organizations should implement source code security scanning tools as part of the software development life cycle to find and fix the highest number of security issues early in the project. This will result in a higher-quality product and lower overall application life cycle costs. ²

Ounce Labs' solution analyzes application source code to provide the most complete and accurate analysis of application vulnerabilities and their relative priorities, providing developers with remediation guidance and enabling the development team to effectively eliminate vulnerabilities at the source. Ounce 5 is a validated "Ready for Rational" partner with rich integrations with both IBM Rational ClearQuest® and IBM Rational ClearCase® change management solution, and with IBM Rational Application Developer.

Ounce 5 and RUP

IBM Rational software helps organizations automate, integrate, and govern the core business process of software and systems delivery via the Rational Software Delivery Platform. Rational's solution spans the entire software and systems delivery lifecycle, including architecture management, change and release management, project and portfolio management, and quality management.

The Rational Software Development Lifecycle product solution is the tool infrastructure and automation of the RUP methodology. RUP is a flexible process framework that is comprised of four major phases: Inception, Elaboration, Construction, and Transition. Ounce source code analysis is mainly applicable in the Elaboration, Construction, and Transition phases. Figure 1 illustrates where Ounce 5 source code security analysis is conducted in relation to RUP.

Figure 1: Where Ounce 5 conducts security source code analysis in relation to RUP

Inception

Often during the early definition of a software project the focus is solely on the features and functions of the system. This leaves important non-functional issues such as performance, usability, platform support, safety, and security to be resolved later in the lifecycle, causing a lot of unnecessary churn and delays in a project. Even worse, some software is deployed without really being "finished," creating a substandard experience for many stakeholders. RUP encourages not only functional requirements, but also non-functional requirements to be defined throughout a development project, starting during the Inception phase. RUP also advocates special attention to requirements that are architecturally significant, ensuring these are validated in earlier iterations of a project. Since security requirements influence overall design and architecture, they should be fully vetted and understood during the Inception and Elaboration phases. Today standards and regulations such as Peripheral Component Interconnect (PCI), Open Web Application Security Project (OWASP), Federal Information Security Management Act (FISMA), and the Health Insurance Portability and Accountability Act (HIPAA) drive security requirements. These standards need to be well understood in conjunction with overall business goals and risks.

Security considerations include a range of issues such as access control and authorization, proper handling of sensitive data, proper use of data and storage access, and encryption methods. Some security requirements are non-functional requirements; e.g., the type of encryption enforced. On the other hand, many security requirements are more use case-oriented and require the definition of a primary scenario (e.g., user logs into system by entering username and password) plus the definition of alternative paths (e.g., authorized user enters the wrong password) and exception paths (e.g., hacker tries to trick the login process). Without both functional and non-functional requirements defined and incorporated into the software appropriately, coding errors and design flaws can surface that will put critical information and operations at risk. Security requirements should be handled like any other requirements, and as such, are prioritized, scoped, and managed as part of the overall use cases and functional requirements using the IBM Rational RequisitePro® requirements management solution.

Ounce 5 automates security testing and flags issues related to security requirements including basic findings, policy violations, and design flaws. As Figure 2 shows, basic findings include implementation errors such as buffer overflows, race conditions, and input/output validation. Policy violations and design flaws include vulnerabilities related to cryptography, network communications, access control, malicious code, error handling and logging, etc.

Figure 2: Basic findings, policy violations, and design flaws

In summary, as a project exits the Inception phase, the following security milestones should be met:

• Identification of critical standards and regulations that impact the software under development, ensuring supporting requirements are fully developed and realized as iterations progress
• High-level security requirements well understood, documented, and prioritized in relation to business objectives
• If known at this time, any architecturally significant security requirement that may pose a risk to schedule should be flagged for priority during Elaboration

Elaboration

During Elaboration, the project plan for the application begins to take shape. Here requirements are designed further and time estimates for the Construction phase are outlined. The architecture of the system is well understood. Any requirement, including those pertaining to security, which was identified as a potential risk during Inception requires early attention during this phase. A working, end-to-end skeleton of the system that addresses the major technical risks will be developed during the Elaboration phase to prove that the architectural strategy works in practice, not just in theory, thereby reducing overall technical risk on the project.

As the designs are fully elaborated and the project plans unfold, new project risks are likely to be identified. A key element of the project plan is a set of project iterations; each iteration having a set of goals and exit criteria, usually in the form of proving a set of requirements are complete. Early iterations should focus on eliminating the risk factors identified during Inception and Elaboration. Test plans and validation of security requirements must be baked into the iteration goals. These test plans and associated test cases are managed in ClearQuest TestManager.

Ounce 5 source code analysis is one of the key elements of security testing and should be itemized in the test plans. Ounce 5 source code analysis is conducted at each iteration to prove certain security milestones, but it is even more effective to run it on a regular basis as part of the nightly build process. This ensures that coding errors and design flaws are found and resolved on a regular basis, dramatically reducing the security risk to the system. In order to optimize the use of the Ounce 5 analysis, during elaboration the Ounce 5 engine can be customized to highlight policy violations specific to an organization or a particular application.

Some examples of customization include:

• Use of a specific encryption algorithm. Ounce 5 will test for both the lack of encryption plus any weak encryption being used.
• Use of proper validation routines; i.e., specific routines used to ensure that data enters the system in the proper format and content, and is not tainted.
• Improper API usage, ensuring APIs that may propagate taint will not be used.
• Elimination of hard-coded passwords or embedded user names.

During the Elaboration phase, the architecture of the security requirements is completed. In addition, the construction of these requirements should be planned, and validation of any requirements should be baked into the criteria for iterations occurring during the Construction phase.

In summary, as a project exits the Elaboration phase, the following security objectives should be met:

• Design of security use cases and requirements complete
• Project plan and iterations for construction defined
• Ounce 5 security test plans included in overall testing strategy, both at iteration milestones and on an ongoing basis
• If appropriate, Ounce 5 customized for specific policies
• Produce a "build-able" system as early as possible

Construction

The Construction phase is where most of the code is actually built. The Construction phase is divided into a series of iterations where at each iteration certain goals are defined, such as the validation of feature use cases, validation of significant architectural use cases, etc. These milestones are defined in the Elaboration phase. Security use cases, just like other requirements and use cases, must be validated through iteration milestones during the course of the Construction phase. This will ensure the system is secure.

In addition to validating use cases, during Construction teams will also want to ensure coding errors or "bugs" are not introduced. This is achieved through continual testing of the source code and introduction of best coding practices. Using Ounce 5 developers can continually verify the security of the software they are developing using the Ounce 5 developer plug-in. The developer's code is as secure as possible before they check it in for build. One of the goals of the Construction phase is to produce a "build-able" system as early as possible. The sooner the system can be built, the sooner integration risks are eliminated and the system can be tested in a holistic fashion on a regular basis. From a security perspective this is critical because the interaction of different components can create different security vulnerabilities as opposed to separate components acting independently. Ounce 5 source code analyses should be part of the regular or nightly build process, constantly verifying security during the continual flow of changes to the source code. Ounce 5 performance is optimized for efficiency so as not to adversely affect build times. If teams are building multiple times during the day, the Ounce analysis can be part of this process.

The following describes the nightly build workflow and how Ounce 5 is integrated with the IBM Rational solution:

1. The source code is scanned as part of the regular or nightly build (see Figure 3): Using IBM Rational Build Forge®, builds across a development team are scheduled and monitored. Build Forge enables a release engineer to define and automate specific build processes. Ounce 5 provides a command line interface, enabling Ounce 5 source code analysis to be automatically kicked off as part of the build process. Once the analysis is complete, the results are made available to the security analyst for triage purposes.

Figure 3: Scanning source code as part of the regular build process

2. The Security Analyst triages the results and submits issues to development (see Figure 4): For larger organizations, the security analyst is usually a dedicated individual who focuses solely on security issues in the software development lifecycle. In smaller development teams, often players wear many hats and the security analyst may be a senior developer with a deeper understanding of source code security issues. In either situation, the security analyst uses the Ounce 5 Security Analyst product to triage the results of the analysis. Ounce 5 provides key capabilities that aid in streamlining the triage process. For example, the Vulnerability matrix quickly identifies confirmed vulnerabilities, so immediate action may be taken. The security analyst uses the Ounce 5 ClearQuest integration to dispatch issues to development. Issues can be grouped into a bundle for efficiency purposes and dispatched all at once to ClearQuest. Individual ClearQuest records are generated automatically.

Figure 4: Submitting results with Security Analyst

3. The project manager and team members determine priorities (see Figure 5): For a development team to take appropriate action around security coding errors and design flaws, they must be prioritized and managed like any other requirement, defect, or enhancement request. The Ounce 5 integration with ClearQuest enables security issues to be addressed by the developers in an environment they understand. Ounce 5 issues can be dispatched directly to developers for their immediate action or they can be dispatched to a project manager who will then delegate to members of the development team.
   
   The Ounce 5 ClearQuest integration will automatically populate the ClearQuest fields with severity and priority rankings based on default field mappings. For example, Ounce 5 findings that are confirmed vulnerabilities and high severity will be mapped as high priority and high severity in ClearQuest. If these default mappings don't work for the team's workflow, organizations can also customize the default mappings to their specific fields in ClearQuest.

Figure 5: Ounce 5 ClearQuest integration

The specific ClearQuest record number is also captured in the Ounce 5 Security Analyst for tracking purposes. Once the issue is assigned to a developer in ClearQuest it will now be managed as part of the overall project, and counted as a metric toward overall health and progress of the software.

4. The developer remediates security issues (see Figure 6): When using the IBM Rational Application Developer IDE in combination with the Ounce 5 Developer Plug-in, the developer does not need to leave the IDE to complete the remediation of security vulnerabilities. The developer has full visibility into the priority of the security issue via the ClearQuest "To Do" list. Once the developer selects a security vulnerability to resolve, he/she opens the Ounce 5 view where the vulnerable line of code is highlighted. In addition, there is remediation guidance describing how the code is vulnerable, along with best practices recommendations with examples of bad code and good code. Once the developer fixes the issue, the developer has the option to perform a local scan to verify the fix and check for any other issues that may have been introduced. After the developer is through the remediation process, the code is checked into ClearCase, ready for the nightly build and for the cycle to begin again.

Figure 6: Remediating security issues with Ounce 5
Click to enlarge

The benefits of integrating Ounce 5 source code analysis into Rational Application Developer and scanning on a regular basis are twofold. Of course, the first is that the risk of introducing a security breach into production is greatly reduced. The second is the longer-range benefit of having educated developers who are less likely to introduce vulnerabilities, as they are being taught better coding practices through exposure to the remediation guidance in Ounce 5. Teams will inevitably introduce fewer flaws in future software development projects. In order to encourage more secure coding practices, the Ounce 5 Developer Plug-In provides free and unlimited usage for remediation.

In summary, as a project exits the Construction phase, the following security objectives should be met:

• Security design and architecture is fully realized
• All security requirements are validated during the course of the construction iterations
• Ongoing source code analysis automated to ensure vulnerabilities due to poor coding practices have not been introduced
• Developers should be better educated on secure coding best practices

Transition

During the Transition phase the software system is turned over to the users. In preparation for this a beta test is conducted where the users themselves have the opportunity to verify the system performs as promised and the functionality is complete. Before full deployment the production environment should be emulated as much as possible and final acceptance tests are conducted.

A key dimension of this acceptance testing is, of course, security testing. Penetration testing (such as IBM Watchfire® AppScan) should be conducted at this point in order to find any security vulnerabilities in the production environment. Ounce 5 source code analysis is complementary to the penetration testing in that Ounce 5 can pinpoint vulnerabilities to the exact line of code, whereas the penetration test simply discovers the vulnerability by attacking the surface. How rigorous the security audit and acceptance test are for a particular application depends on what regulations (e.g., PCI) and standards apply. Ounce 5 provides SmartAudit reports (see Figure 7) to support compliance efforts. The SmartAudit report provides a "report card" of the application and covers the full breadth of design issues as well as coding flaws.

Figure 7: Ounce 5 SmartAudit supports compliance with regulations and standards.

Of course, once a system is in production, the work is not over. Users request new functionality, quality issues are discovered, and basic maintenance must be performed. During these release cycles it is imperative to continually test for security vulnerabilities as part of the nightly build and at major iteration milestones.

Many enterprises have dozens of applications in the Transition phase. Many of these applications were developed years ago, before the threats of application and data security were so vast. Organizations will need to retroactively go back and assess these applications for risk. Because security resources should be well invested, it's important for organizations to measure risk with relative metrics to prioritize where remediation efforts are most urgent. Ounce 5 provides rich portfolio management capabilities (see Figure 8) to consistently and constantly manage your application portfolio.

Figure 8: Ounce 5 portfolio management

In summary, during the Transition phase, the following security milestones should be accomplished:

• Final acceptance test completed before deployment
• Preparation for ongoing enhancements and maintenance established
• Application risk is managed as part of a larger portfolio of deployed applications

Conclusion

With the increased spotlight on software security due to increasing attacks and corresponding regulations, everyone on the software development team bears some element of responsibility for software security. When Ounce 5 source code analysis is implemented in RUP using the Rational Software Delivery Platform, there is both a process framework and the automation to simplify and clarify each team member's role in ensuring software security. From Inception all the way to Transition, there are clear milestones to be met. The end result is twofold -- software delivered in accordance with defined security standards and reduced costs due to avoiding the heavy costs of fixing software in production.

Table 1 summarizes each phase of RUP, the key software security milestones, and the primary tools for automation required during that particular phase.

Notes

¹ B. Boehm and V. Basili, "Software Defect Reduction Top 10 List." IEEE Computer, January 2001.

² "Implement Source Code Security Scanning Tools to Improve Application Security," Amrit Williams, Gartner, April 4, 2006.

Resources

• Participate in the discussion forum.
  
  
• Attend the Webinar
  
  Secure at the Source: Implementing Source Code Analysis in the IBM Rational Software Delivery Lifecycle
  
  Date: 02/13/2008
  Time: 12:00pm - 1:00pm (GMT-05:00) Eastern Standard Time (America/New_York)
  By: Global Rational Community(GRC)
  
  Automated source code analysis is widely recognized as the most effective method of security testing early in the life cycle, because it allows assessments of any piece of code without requiring a completed application.
  
  Learn how Ounce 5 source code analysis can be implemented in each phase of the IBM Rational Software Delivery platform, delivering a closed loop of discovery, remediation and informed dashboards, with the ultimate result of providing security governance for software development teams.
  
  Register for the webinar here.
  
  
• A new forum has been created specifically for Rational Edge articles, so now you can share your thoughts about this or other articles in the current issue or our archives. Read what your colleagues the world over have to say, generate your own discussion, or join discussions in progress. Begin by clicking HERE.
  
  
• Global Rational User Group Community

About the author

		Claudia Dent is the Senior Vice President of Product Marketing for Ounce Labs, Inc., a security solutions company based in Waltham, MA. Formerly IBM Vice President, Product Management, Rational Division, she has over twenty years experience in the high tech industry. She has held numerous leadership positions during her ten years at Rational, including Vice President, Rational Suites Business Unit and Director, Product Marketing, Change Management Business Unit. Claudia received her BS in Electrical Engineering in 1982 from the University of Rhode Island.

Rate this page

Please take a moment to complete this form to help us better serve you. Did the information help you to achieve your goal? Yes No Don't know   Please provide us with comments to help improve this page:   How useful is the information? 1 2 3 4 5 Not useful Extremely useful

Share this.... Digg this story del.icio.us Slashdot it!

Back to top