In-Depth

CLASP process helps developers integrate security

• By John K. Waters
• July 1, 2005

Want to produce applications that are more secure, even in the face of crushing time-to-market pressures and budget constraints? Integrate security best practices into your existing development process, says Secure Software’s CEO Kevin Kernan—and just about everybody else in the know.

Kernan’s company develops and sells products that automate the process of identifying risks in the application code. But the company is giving away a recently published set of application security best practices, called Comprehensive, Lightweight Application Security Process (CLASP).

CLASP is a set of process pieces designed to be both easy to adopt and quickly integrated into existing software development processes, Kernan says. “I didn’t want people to react as they typically do when you say the word ‘process,’” he says, “which is, ‘Oh my god, I’ve got to re-carpet the whole building!’ We were very careful to organize this as component-based and role-based—something that can be swallowed in incremental doses.”

CLASP grew out of the work of Secure Software’s CTO John Viega. A widely published security guru, Viega spent 6 years working on security with development teams. “We’ve built a process that has essentially codified the lessons learned from the work that John and his team have done.”

The result is a series of role-based activities, artifacts, guidelines and templates that organizations can adopt and overlay on their existing software development process.

At the heart of CLASP are seven best practices, listed here with Kernan’s descriptions.

1. Institute awareness programs: Educate the organization on what is important, why and who is accountable.

2. Establish assessment strategy: Determine what the inspection process will be and how the results are to be analyzed.

3. Establish security requirements: Ensure that security requirements have the same level of “citizenship” as all other “must haves.”

4. Define and monitor metrics: If it’s not measurable, progress is impossible to determine.

5. Implement secure development practices: Defined security activities, artifacts, guidelines and continuous reinforcement must become part of the culture.

6. Build vulnerability remediation processes: If it’s bad and you find it, you must be able to assess and contain the exploitation potential, and collapse the problem.

7. Publish operational guidelines: The safe-handling procedures for the security of an operational system; if I find something and the system can’t be fixed immediately, tell the team what the options are.

CLASP also includes:

• Descriptions of approximately two dozen specific activities that can be implemented within a software development (or deployment) lifecycle to increase security. For each activity, CLASP outlines a number of specific steps that may be taken and documents such factors as the purpose of the activity, who owns the task and the relevant contributors to it, the applicability or scope of the task, its potential impact, frequency and cost (in time).

• Eight roles within the software development lifecycle, including project manager and security auditor, and the activities for which they are responsible for completing and that they participate in completing.

By examining related activities, individuals are able to readily identify actions they can take within the scope of their responsibility to improve security.

• An implementation guide, documenting—for different types of projects—how an organization can approach the task of implementing CLASP, including the specification of a process engineering plan and a supporting team.

• A vulnerability root cause reference, providing specific information on different types of vulnerabilities—including the cause of the vulnerability, potential consequences, where in the lifecycle it can be introduced, how it can be avoided or remediated, and examples and discussions.

The entire set of CLASP practices is available as a free download from the Secure Software Web site. There’s also a hardcopy available. IBM is also making CLASP available as a Rational Unified Process plug-in. Go to www.securesoftware.com for more information.

Back to feature: Don’t Let Your Applications Get You Down