Secure Software Unveils CLASP, a Comprehensive Process to Dramatically Improve Software Security.LA JOLLA La Jolla (lə hoi`yə), on the Pacific Ocean, S Calif., an uninc. district within the confines of San Diego; founded 1869. The beautiful ocean beaches, in particular La Jolla shores and Black's Beach, and sea-washed caves attract visitors and , Calif. -- CLASP Integrates Security into the Application Development Process Secure Software, an authority in automated application security products and process technology, today announced the immediate, free availability of CLASP (Comprehensive, Lightweight Application Security Process), a process guide that helps organizations incorporate security into their application development lifecycle. CLASP reflects years of work with development teams to address security issues. It is authored by John Viega and Secure Software, with assistance from IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) and webMethods. CLASP is shipping with all Secure Software products and a complimentary download is available at www.securesoftware.com. "Today's development organizations are faced with the traditional time-to-market and cost pressures that make them hesitant hes·i·tant adj. Inclined or tending to hesitate. hes  i·tant·ly adv. to introduce new processes into the software development lifecycle," said Melissa Webster, research director at IDC. "However, they are facing increasing market and management pressure to produce more secure applications. By integrating security best practices into their existing development processes, organizations can dramatically improve the security of their software while reducing the cost and time-to-market impact associated with existing approaches such as manual code audits and post-development remediation." CLASP, derived from accepted best practices for building secure software, is an activity-driven and role-based process that offers practical hands-on guidance to everyone in the software development lifecycle. Designed to integrate with an organization's existing development processes, CLASP activities document what needs to be accomplished, by whom, and when, to ensure increased security and integrity. "Meaningful improvements in application security can be achieved via better security practices in the development lifecycle. This is only likely to happen when the security teams understand and support the process-oriented needs of development shops," said Amit Yoran Amit Yoran was the National Cyber Security Division director within the United States Department of Homeland Security. He took up the post in September 2003 and resigned in October 2004. , private security advisor and former Bush Administration Cyber Chief. "The application security process provides clear guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. development organizations can follow to weave proven security processes into their practices without significant cost impact or lengthening lengthening (lengkˑ·the·ning), n the use of various massage or muscle energy techniques to relax and stretch muscle and connective tissue. of the existing development schedule." "The proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. of off-shore application development, combined with the compliance pressures of Sarbanes-Oxley, GLBA GLBA Gramm-Leach-Bliley Act of 1999 (Financial Modernization Act of 1999) GLBA Gay and Lesbian Business Association GLBA Great Lakes Booksellers Association GLBA Glacier Bay National Park and Preserve and other regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. , has raised the security stakes significantly for those affected large organizations," said Vincent Campitelli, managing director of Emerging Risk for the Internal Audit Division of Wachovia Bank. "Integrating rigorous security process into the application development lifecycle can be significantly less expensive than retrofitting applications and has a greater overall impact on reducing organizational risk." CLASP is designed to be both easy to adopt and quickly integrated into existing software development processes. It takes a prescriptive pre·scrip·tive adj. 1. Sanctioned or authorized by long-standing custom or usage. 2. Making or giving injunctions, directions, laws, or rules. 3. Law Acquired by or based on uninterrupted possession. approach, documenting critical activities that each member of the software project team must consider. CLASP provides an extensive wealth of security resources (templates, guidelines and white papers) making implementation of key activities predictable and reasonable, particularly when also introducing tools to help automate various security functions within the overall software development lifecycle (SDLC (Synchronous Data Link Control) The primary data link protocol used in IBM's SNA networks. It is a bit-oriented synchronous protocol that is a subset of the HDLC protocol. See SNA, DLC and Microsoft DLC. 1. ). "Software development is a professional discipline and, in many respects, the process is more important than the software tools employed. This fact has escaped the attention of many IT security vendors," said Robin Bloor, partner at Hurwitz Associates and a former developer. "Many vendors place far too much emphasis on automating the discovery and remediation of vulnerabilities during later stages of the product lifecycle Product lifecycle or product life cycle is the course of a product's sales and profits over time. The five stages of each product lifecycle are product development, introduction, growth, maturity and decline. . The most economic and efficient approach is to remedy such problems as early in the project as possible. Secure Software's CLASP is the first approach I have seen that focuses on this and builds the security process into the design and development phases. It is a 'best practice' approach to improving the security of software." CLASP includes: 1) Descriptions of approximately two dozen specific activities that can be implemented within a software development (or deployment) lifecycle to increase security. For each activity, CLASP outlines a number of specific steps that may be taken, and documents such factors as the purpose of the activity, who owns the task and the relevant contributors to it, the applicability or scope of the task, its potential impact, frequency, and cost (in time). 2) Eight roles within the SDLC (project manager, security auditor, etc.) and the activities for which they are responsible for completing and that they participate in completing. By examining related activities, individuals are able to readily identify specific actions they can take within the scope of their responsibility to improve security. 3) Best Practices At the core of CLASP are seven best practices: --Institute security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. programs --Publish software security policies & operational guidelines --Establish software security development practices --Monitor security metrics metrics Managed care A popular term for standards by which the quality of a product, service, or outcome of a particular form of Pt management is evaluated. See TQM. --Manage vulnerability remediation processes --Establish security assessment strategy --Establish software management control processes Each of these best practices are intended to address root cause software security issues which if left unattended can result in highly exploitable conditions in business critical applications. The consequences of non-action can be loss of data, identity theft, attack by worms, viruses, trojans, and denial of service--all having a significant economic impact on today's businesses Today's Business is a show on CNBC that aired in the early morning, 5 to 7AM ET timeslot, hosted by Liz Claman and Bob Sellers, and it was replaced by Wake Up Call on Feb 4, 2002. . 4) An Implementation Guide, documenting--for different types of projects--how an organization can approach the task of implementing CLASP, including the specification of a process engineering plan and a supporting team. 5) A vulnerability root cause reference, providing specific information on different types of vulnerabilities--including the cause of the vulnerability, potential consequences, where in the lifecycle it can be introduced, how it can be avoided or remediated, and examples and discussions. "Secure Software is doing for software security what Rational did for application development," said Kevin Kernan, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Secure Software and seventeen-year veteran of Rational Software and IBM. "Driving industry collaboration and providing industrial-strength capability was a critical part of Rational's success. The application security sector requires a similar approach." About Secure Software Secure Software provides application-security products and process technology that help organizations cost-effectively eliminate security flaws at the source - insecure in·se·cure adj. 1. Lacking emotional stability; not well-adjusted. 2. Lacking self-confidence; plagued by anxiety. in software code - in legacy, acquired and new-start applications. The Company's recently launched CodeAssure(TM) product suite automates the discovery and vulnerability analysis In information operations, a systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such for prioritizing and fixing insecure software code, and provides process guidance for building more secure applications early in the development lifecycle. Based in McLean, Va., Secure Software sells its solutions to large government agencies and utilities, financial institutions, healthcare organizations and independent software vendors. For more information visit www.securesoftware.com. |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion