The Path to Secure Applications

Ryan Berg, Ounce Labs
May 14, 2008 | COMMENTS

The ongoing epidemic of data breach notifications forced by today's data breach disclosure laws has painfully highlighted the insecurity of many of today's applications. How, then, can organizations ensure their applications are secure, and avoid the cost and public relations fallout—not to mention stock price downturn—inherent in issuing numerous security patches, or worse, having to explain to consumers and regulators how code defects allowed attackers to steal people's sensitive and perhaps regulated information?

The imperative for creating secure code has never been greater, given the rapid rise in new technologies—including web services and rich Internet applications—and the need to ensure the integrity of existing, legacy, and under-development applications in an increasingly network-oriented world in which companies continue to integrate their systems with business partners to speed the exchange of information. In these conditions, companies must ensure code is secure to protect data privacy, preserve customer loyalty, safeguard sensitive information, and maintain operational integrity.

What is the best way to ensure code is secure? The path to effective secure software development requires source code review processes accomplish three things:

1. Consistency. Create consistent processes, policies, and a culture of improved security
2. Provide the whole security picture. When it comes to dangerous vulnerabilities, large-scale design flaws typically trump individual coding errors. Fixing individual vulnerabilities will have little effect if data is not encrypted, authentication is weak, or there are open backdoors in an application.
3. Prioritize remediation. When reviewing existing code, developers must identify all vulnerabilities in the code and remediate the greatest risks first.

Ensuring code is secure requires examining all of the places vulnerabilities may exist. Even when using automated tools, however, developers must still understand that the path to creating a secure application may involve vetting implementation and design practices, including native code and code-reuse practices, which they did not think could result in vulnerabilities. Companies must tread carefully down the path of secure code development, and ensure they analyze the myriad places where software vulnerabilities can exist. Along the way, to effectively measure the risk posed by any given application, security analysts or developers should watch especially for two types of errors:

1. Implementation errors. These quality-style defects in code are fairly atomic, and typically stand alone when identified, and remediation is applied. They are caused by bad or "loose" programming practices. Examples include buffer overflows, which result from mismanagement of memory, and race conditions, which result from call-timing mismatches.
2. Design errors. These include the failure to utilize or adequately implement security-related functions. This includes authentication, encryption, the use of insecure external code types, and validation of data input and application output.

While implementation errors are the most familiar, it is actually design flaws that pose the greatest risk in today's web-enabled applications. The process for spotting errors is not simply to better define the need for security in the development process, but to look at all the places in code where design flaws may, or do, exist. Commonly used approaches include manual code review and penetration testing. While these are both useful, neither is sufficient to cope with the breadth of existing and potential design errors, and cannot on their own help ensure code is secure.

The most efficient and effective technique for creating secure source code is to evaluate every application, existing applications as well as code under development, against five classes of code vulnerabilities:

• Security-related functions
• Input/output validation and encoding errors
• Error handling and logging vulnerabilities
• Insecure components
• Coding errors

These five broad types of code vulnerabilities represent the likeliest and most dangerous risks contained in current and legacy code. Business customers, software development project managers, and developers should ensure all code is vetted per these five classes of vulnerabilities.

The numerous well-publicized data breaches to date, many the result of code flaws, have highlighted just how important eradicating vulnerabilities is to prevent the inadvertent or malicious disclosure of sensitive or regulated information. The path to creating a secure application begins by rigorously testing source code for any and all vulnerabilities, to ensure the application will not compromise, or allow others to compromise, data privacy and integrity.

Ryan Berg, chief scientist and co-founder of Ounce Labs, is one of the industry's most prominent advocates in advancing the state of application security technologies. To learn more, visit www.ouncelabs.com.