PGP CTO Blog

How to Build Secure Software
04 October 2006

Building good software is the supreme challenge every company faces. There are many facets of building good software that range across the entirety of the software development process. These fit together in a way that is similar to a defense-in-depth strategy, resulting in a “quality-in-depth” strategy.

At the lowest level, there is the raw software quality. I've spent my entire career as someone who makes software. I’ve found the last few years particularly interesting because the whole world has suddenly become interested in software quality, especially in the way that it relates to computer security. Software entomology has become a spectator sport. It often seems to me that people who find and observe security problems forget that they’re not natural phenomena: they’re bugs. They can be particularly nasty bugs, but they're bugs nonetheless, and thus security problems are a subset of quality problems.

There are many ways that we at PGP Corporation protect against these problems, both actively and passively. We publish our source code and make it available via our website. Some 600+ people download PGP® source code every month. Of course, not everyone spends a lot of time looking at the code, but that’s still a lot of people doing something with it (and it isn't merely our competitors looking for coding tips). The bottom line is that if you’re a software developer and you know people are going to read everything you write, you’re just more careful.

We’ve also have created a consistent set of services we call the PGP® Encryption Platform. It includes our PGP® Software Development Kit (SDK), which gives us mechanisms to write good code on every computer we support. Not only does the PGP® SDK define the cryptography, but also networking, memory handling, and data parsing. Our PGP® Desktop, PGP Universal™, and PGP® Command Line solutions all use the PGP SDK as their common, core engine for a wide variety of services. But the platform includes higher-level mechanisms as well. For example, the PGP® Support Package for BlackBerry® talks to PGP Universal with the same web services used by the PGP Universal™ Satellite client. Research In Motion® (RIM®) wrote the BlackBerry software (as other product designers could as well), but it's still part of the family because it uses the same platform as everything else. We also have hundreds of customers that use the PGP Encryption Platform inside their corporate infrastructure for internal programs and processes.

Of course, we use our QA and test staff to verify that we're building good code. We also use the Coverity source code analyzer, which validates classes of problems more thoroughly than human testers can. This approach lets the people worry about the parts of the design and implementation that only human beings can properly understand. Of course, we also regularly run penetration tests and network security tests against our products.

We also get outside validations: For example, we regularly validate the PGP SDK against FIPS 140-2, a cryptographic validation program developed by the U.S. National Institute of Standards and Technology (NIST). However, the best way to find difficult problems is to get an outside team to go over the entire system. Software developers know that they’re not the right people to test their code, and that's why software development teams have testing groups. Taking that model to another level, there’s nothing better than getting a team of smart people with fresh eyes to look at a system. It is important that these people are a different group than the internal QA team because you want to have people with different assumptions and different approaches looking at the system. This summer, we hired Independent Security Evaluators to analyze PGP Universal. We admire their relentless, no-holds-barred approach, and we wanted them to beat up PGP Universal. They started as we put PGP Universal 2.5 into beta test. I’m very proud to be able to quote the leader of the evaluation:

“The good news is that we're very impressed with the quality of your code, and PGP Universal avoids many of the typical problems that we're used to seeing in systems as complex as this. We did not perform an exhaustive source code review, but we did examine many of your system's components. In general we did not find the sort of ‘easy’ remote exploits that are typical of other applications.”

The better news was they found some things for us to fix. You may wonder why I consider it to be "better" to find problems that need fixing. The master of quality principles, W. Edwards Deming, showed that the sooner you find a problem and fix it, the cheaper it is. When an outside group of very smart people actually have to dig to find problems, you know that some potentially expensive problems are no longer a matter of concern. Also, you can't prove a negative, and you can't prove quality by finding no problems. If the testing team finds no problems, you're never quite sure how good they were.

At the highest conceptual level, software exists to fill a need, and anyone who makes products must think about the needs they satisfy and consider the ways needs change. The newest system we have is PGP® NetShare. PGP NetShare is a new direction for us because it uses encryption as a way to provide access control. You can designate files and directories of files with access policies, and those policies are public keys. If someone has one of the right keys, they can open the file and use it normally. If that person doesn't have an appropriate key, then the file remains encrypted and they can't use the file. This approach works for local files or files on a network file server. It works for files that are shared files just as well as for documents. (Thus, the name "NetShare.") Even better, administrators can convert files and directories of files into PGP NetShare–protected file and directories for groups of which they’re not members. They can back up, restore, and maintain PGP NetShare–protected files that they can’t use the content of themselves. I’m excited because this means you can have cryptographically enforced separation of roles and duties with PGP NetShare. All of this is managed by a single key management system that covers everything from email to disks and files.

Four years ago, we started the new PGP Corporation. You can see now why we did. We have a vision of useful new products to help people solve real problems in an innovative way. We have a broad development platform that we, our partners, and our customers all use for information security with a simple, unified central management system. We back that up with testing, independent evaluations, and industry validations. We’re particularly dedicated to creating good software because our customers hold us to a higher standard. It’s a joyful burden to be the best.