April 17, 2007

Writing Secure Code: The Root Cause of the Problem?

As a security speaker and instructor, while presenting some of the security vulnerabilities we deal with on a daily basics (protocol and implementation flaws, buffer-overflows, format strings, lack of input validation, XSS, SQL injection...), I'm frequently asked about what can we expect as security pros in the coming years. I predict two scenarios:
  1. The son of the son of the son of my son will be able to make a living as a security professional.
  2. We finally get the idea and start fixing the root of nowadays security issues, vulnerable software.
Without trying to predict the future, I seriously think there is still a lot of work to do in order to improve one of the root causes of the problem: the current development life cycle and the quality of today's software; and by software I mean firmware, drivers, operating systems and applications, that is, all code that can execute on any CPU ;)

I finished my Masters degree in Computer Science a decade ago, and at that time, I didn't go through a single security best practice in any of the different programming, software engineering and development subjects (and believe me, I went over lots of programming methodologies and languages during my 6-year university degree). Unfortunately, the situation has not changed too much nowadays.

The SANS Institute finally announced at the end of March a new initiative focused on the secure coding field, called the SANS Software Security Institute (SSI). It's started covering the most commonly used languages, C & C++ and Java/J2EE, and very soon, .NET/ASP and PHP/PERL. New languages will be added afterwards. It is time to involve the programmers in security!

As an example, the first year of the Coverity Scan project, automated vulnerability research for open source code, has disclosed more than 6,000 flaws. The commercial software is not better, and the security industry is getting crazy, as denoted by the latest MS ANI flaw. It was known 3 months ago but there was no official patch available, several third-party patches were moving around, and once the official patch was out, it caused some conflicts :(

What are some secure coding resources I can start with?

Programming languages:
Most popular languages seem still to be Java, C/C++, PHP, (Visual) Basic, Perl, Python ... with Ruby (and probably Ruby on Rails) pushing really hard.

Web sites:
  • Flawfinder by David Wheeler (free). C & C++.
  • Valgrind, invalid memory usage (free). Linux. C & C++.
  • Rational Purify, invalid memory usage (commercial). Windows. Java, C++ and .NET.
  • ITS4 by Cigital (free). C & C++.
  • RATS by Fortify Software (free). C, C++, Perl, PHP and Python.
  • Other tools and more...
It is a must to audit your source code looking for security flaws, but also the source code of the tools you commonly use, looking for other oddities ;)



Post a Comment

<< Home