Secure Coding Framework (SCF)
The SCF addresses the problem of application cybersecurity head-on with a powerful new development platform for building secure code from the ground up. It is the equivalent of a new secure programming language, but better. Mainstream programming languages in use today such as C++, C# and Java were designed in the 70’s and 80’s. They were not designed with security as the overarching concern. Instead their primary objectives were utility and performance. They were developed long before cybersecurity breaches reached the crisis stage. Today’s developers use static analysis tools and secure coding standards to identify and remedy known vulnerabilities in source code, but this methodology is inadequate for closing the application cybersecurity gap. Instead it has turned out to be an expensive and never-ending process that only reduces the risk of application cyber attacks but never really eliminates them.
The SCF does effectively eliminate the need for static analysis. It is a class library that can be built on any mainstream object-oriented programming language. This class library wraps and replaces the vulnerable primitives and operators of the underlying programming language using patent-pending technology referred to as Cybersecurity through Lexical and Symbolic Proxy (CLaSP). Primitives of the language are replaced with secure classes.
Operators are replaced with secure methods. The source code for these classes is written in accordance with SEI Secure Coding Standards. It has no vulnerabilities. It generates no vulnerabilities. A pre-compiler validates the absence of primitives and operators in your code. Then the compiler of your mainstream programming language can be used to compile your code. The SCF built on CLaSP provides a potential path to bullet-proof secure code.
What makes the SCF better than a new secure programming language is its ability to easily interface with the many of lines of legacy code that for practical reasons cannot be secured overnight. The SCF provides a built-in mechanism for interfacing new SCF-based secure code with your legacy code. You can focus on protecting the crown jewels of your application with new secure code, without sacrificing the investment you have in existing legacy code. This makes migration to the SCF more palatable for its customers.
The first SCF was developed by Digital Dataworks. It is written in Java and much of the source code has been submitted as proof-of-concept in the utility patent submittal. The code has also undergone rigorous unit testing. So it is currently a viable product. Another version, written in C++ is underway by the same company.
The market for SCF is huge. The cost of cybersecurity crime world-wide is currently at $3T and the projection for 2021 is $6T. There are roughly 18 million programmers world-wide today and the projection for 2019 is over 26 million. Granted, not all cybercrime is due to application cybersecurity, but it is still a major concern. In fact, according to many annual cyber reports from industry, it has been the #1 concern in recent years.