CLASP process helps developers integrate security
- By John K. Waters
- July 1, 2005
Want to produce applications that are more secure, even in the face of crushing
time-to-market pressures and budget constraints? Integrate security best practices
into your existing development process, says Secure Software’s CEO Kevin
Kernan—and just about everybody else in the know.
Kernan’s company develops and sells products that automate the process
of identifying risks in the application code. But the company is giving
away a recently published set of application security best practices, called
Comprehensive, Lightweight Application Security Process (CLASP).
CLASP is a set of process pieces designed to be both easy to adopt and quickly
integrated into existing software development processes, Kernan says. “I
didn’t want people to react as they typically do when you say the word
‘process,’” he says, “which is, ‘Oh my god, I’ve
got to re-carpet the whole building!’ We were very careful to organize
this as component-based and role-based—something that can be swallowed
in incremental doses.”
CLASP grew out of the work of Secure Software’s CTO John Viega. A widely
published security guru, Viega spent 6 years working on security with development
teams. “We’ve built a process that has essentially codified the
lessons learned from the work that John and his team have done.”
The result is a series of role-based activities, artifacts, guidelines
and templates that organizations can adopt and overlay on their existing software
At the heart of CLASP are seven best practices, listed here with Kernan’s
1. Institute awareness programs: Educate the organization
on what is important, why and who is accountable.
2. Establish assessment strategy: Determine what the inspection
process will be and how the results are to be analyzed.
3. Establish security requirements: Ensure that security requirements
have the same level of “citizenship” as all other “must haves.”
4. Define and monitor metrics: If it’s not measurable,
progress is impossible to determine.
5. Implement secure development practices: Defined security
activities, artifacts, guidelines and continuous reinforcement must become part
of the culture.
6. Build vulnerability remediation processes: If it’s
bad and you find it, you must be able to assess and contain the exploitation
potential, and collapse the problem.
7. Publish operational guidelines: The safe-handling procedures
for the security of an operational system; if I find something and the system
can’t be fixed immediately, tell the team what the options are.
CLASP also includes:
• Descriptions of approximately two dozen specific activities
that can be implemented within a software development (or deployment) lifecycle
to increase security. For each activity, CLASP outlines a number of
specific steps that may be taken and documents such factors as the purpose of
the activity, who owns the task and the relevant contributors to it, the applicability
or scope of the task, its potential impact, frequency and cost (in time).
• Eight roles within the software development lifecycle, including project
manager and security auditor, and the activities for which they are responsible
for completing and that they participate in completing.
By examining related activities, individuals are able to readily identify
actions they can take within the scope of their responsibility to improve security.
• An implementation guide, documenting—for different types of projects—how
an organization can approach the task of implementing CLASP, including the specification
of a process engineering plan and a supporting team.
• A vulnerability root cause reference, providing specific information
on different types of vulnerabilities—including the cause of the vulnerability,
potential consequences, where in the lifecycle it can be introduced, how it
can be avoided or remediated, and examples and discussions.
The entire set of CLASP practices is available as a free download from
the Secure Software Web site. There’s also a hardcopy available.
IBM is also making CLASP available as a Rational Unified Process plug-in. Go
to www.securesoftware.com for more information.
Back to feature: Don’t
Let Your Applications Get You Down
John K. Waters is a freelance writer based in Silicon Valley. He can be reached
at [email protected].