Recent security breaches such as the ones at SWIFT and Target are entering the realm of nine-digit defects, where damages can exceed $100 million. This makes the security of business applications a boardroom issue. Advances in static analysis technology enable IT to detect weaknesses in the source code that can be exploited to gain unauthorized entry. Both the Software Engineering Institute and CAST Software have recently found that weaknesses causing reliability problems can in many cases be exploited for unauthorized entry, indicating that poor quality code is also insecure code.
The Consortium for IT Software Quality (CISQ) is chartered by its industrial sponsors to create automatable measures of software size and quality. CISQ measures include standards recently approved by the Object Management Group for Automated Function Points, Reliability, Security. Performance Efficiency, and Maintainability. The four quality measures are based on definitions of these attributes in ISO 25010 and provide source code level measures that supplement the largely behavioral measures in ISO 25023. In particular, the Security measure is based on measuring 22 of the Top 25 Common Weakness Enumerations (i.e., CWE/SANS Institute Top 25 most dangerous software errors, OWASP Top 10) that can be detected through static analysis. These weaknesses include well-known culprits such as SQL injection, buffer overflows, and cross-site scripting. This measure provides an accurate estimate of the likelihood that an attacker can find an exploitable weakness in an application.
The continuing flow of breaches exploiting SQL injection, a weakness known since the late 1990s, suggests that IT needs a major undertaking similar to the Y2K endeavor to rid source code of the most easily exploited weaknesses. Executives both in and outside IT need to assess the cybersecurity risk of their systems using measures such the CISQ standards and enforce remedial actions based on them.
