One of the many ways that developers can build secure software is by following the tenets of the Building Security in Maturity (BSIMM) approach, now in its fourth generation.
One of the most common types of software security attack vectors is the use-after-free condition, where an attacker makes use of legitimately allocated memory to launch an attack.
The BSIMM 4 approach advocates using multiple layers of practices that can help limit the risks of such a vulnerability. Jacob West, CTO of Fortify Products and co-author of BSIMM 4, explained to eSecurity Planet that BSIMM takes a holistic approach.
One of the best practices advocated by BSIMM 4 is training and education.
“So you’re teaching developers about a kind of bug they have experienced in the past and need to be aware of,” West said. “Then BSIMM follows up on that with a one-two punch using security standards and giving developers concrete guidance and how to code securely and avoid that mistake.”
Using a static analysis tool to then verify the code also provides a layer of mitigation against use-after-free and other common software defects.
“You really need a comprehensive approach to address software security problems,” West said. “With that broad view, you can get good visibility into a combination of activities that an enterprise might need to address a specific problem like use-after-free.”