On software defects and loopholes

author | Cynthia Freeney

translator | On fate

planning | Ding Xiaoyun

Reviser | Winter rain

Software defect

Despite some progress in self coding , But now the development of software mainly depends on manpower .

However , People who err , To err is human. ？ therefore , We can get a reasonable guess ： Products and services produced by people , It must contain some form of defect . therefore , Software defects are inevitable , And is an inherent part of the software development process .

A software defect is a logical or configuration error , It will cause the system to produce unexpected behavior .

Some major and common defects in software applications include business logic errors 、 Complexity issues 、 File processing problems 、 Encapsulation problems 、 Data validation problems 、 Identity authentication and authorization errors .

Common weakness enumeration (CWE) Listing describes common software and hardware weaknesses , It will lead to safety related problems . The list provides a comprehensive classification of possible software weaknesses .

In the process of business research and development , We usually compare internal quality and risk indicators and requirements 、 standard 、 Compliance with standards, deadlines, etc , To measure and evaluate the acceptability of software quality level .

therefore , We should be able to draw such a conclusion ： Software quality is subjective , Subject to business commitments 、 The involvement of senior managers and the impact of organizational culture .

An important focus in software development involves budgeting 、 speed of progress 、 Range 、 Maintain an appropriate balance between quality and safety . Changes in one aspect will affect others . Although they don't want to change their plans , But this is not uncommon in the software development life cycle . These scenarios reflect the organization's efforts to control budget and schedule , Have to compromise on software quality and security .

Software quality indicators are not always software safety indicators . The measure of software security , Is the number of vulnerabilities discovered during testing and after production deployment . Software vulnerability is a kind of software defect , Potential attackers often exploit these vulnerabilities , Bypass authorization , Access a computer system or perform an operation . Sometimes , Authorized users can also be malicious , Take advantage of these unpatched known vulnerabilities in the system .

These users may also enter data that cannot pass the verification , Inadvertently exploited software vulnerabilities , Thus, the integrity of data and the reliability of functions using these data are damaged . Exploitation of vulnerabilities will target one or more of the following three security pillars ： Confidentiality 、 Integrity and availability , They are often called CIA A triple .

Confidentiality means protecting data from unauthorized disclosure ; Integrity means protecting data from unauthorized modification , To ensure the authenticity of the data ; Availability means that the system can be used by authorized users when needed , And deny unauthorized users access . Understand the difference between software errors and vulnerabilities , Is the key to an overall strategy for creating secure software and reducing defects and vulnerabilities in a timely manner .

Software vulnerability

Now the announced exploits , as well as OWASP top ten 、MITRE Common vulnerabilities and exposures (CVE) list 、 Insights from the US national vulnerability database and other sources are all about software vulnerabilities . Overall speaking , This information highlights how technological innovation has broken the required balance , We can take more effective measures based on this information , Better detect and reduce software vulnerabilities before product deployment .

There are more and more software security flaws , The most influential factor is our indomitable attitude towards software security 、 Lack of effective best practices in software security 、 Knowledge differences between software developers and potential attackers and unsafe legacy software .

Because the threat is changing , therefore , Keeping pace with the times in terms of security is necessary to achieve software security . When organizations develop and deploy software , If the attitude towards safety remains unchanged , It is possible to keep internal compliance with effectiveness 、 The safe software development cycle is confused with the process ; Lack of awareness of evolving threat vectors ; So as to inadvertently increase the risk of customers in all aspects . The security policy remains unchanged , Rely only on internal compliance to prove that the developed software is safe , This is short-sighted behavior .

as time goes on , This dependency will cause stakeholders to have blind confidence in the organization's ability to develop security software , And reduce the ability of software development teams to fully review and respond to changing threats . If what I expected was right , These organizations probably don't have an effective patch management program , There are no design principles for integrating software security in the implementation of products or solutions . They are also unlikely to add test suites for security related scenarios , Or incorporate software security best practices into the software development process .

Want to develop secure software , Best practices in software security should be applied in the R & D life cycle . Best practices cover safe design principles 、 code 、 test 、 Tools and training for developers and testers , Helps proactively detect and fix vulnerabilities before deploying products and solutions to production environments . Where appropriate , application “ Fail safe ”、“ Minimum permissions ”、“ Defense in depth ” and “ Separation of duties ” And other safety design principles , Can enhance the security of applications . Besides , Priority must also be given to routine training in software security for developers and testers .

The knowledge gap between software developers and potential attackers is widening . The reasons for this phenomenon are different , Some of the reasons are mentality 、 Focus on different areas and lack of learning opportunities . Besides , Some software developers have a zero sum attitude towards system compromise . This mentality runs counter to the safety design principle of deep defense , And think that network and device vulnerabilities are actually “ The key to heaven ” event （ Translation notes ：keys-to-the-kingdom, Christian allusions , This means that the vulnerability discoverer deserves to gain great privileges through the vulnerability ）. therefore , They believe that trying to minimize compromise is futile . There are many system data leaks that have been exploded , It is the consequence of this mentality , They lack security or lack layered security , Leading to the theft of unencrypted personal data .

such “ Zero-sum ” State of mind , Inadvertently encourages potential attackers to penetrate the network through various technologies and further destroy the ecosystem , Thus, it is possible to gain access to other systems containing personal and business data . Scrutinizing code is a common defense in depth measure , But some software developers fail to make effective use of . These developers rely entirely on automated code scanning tools , Without reviewing the code , Or just a cursory review of the code . Using automatic code scanning tools and scrutinizing code is an effective defense in depth strategy , Vulnerabilities can be detected before the solution or product is deployed to the production environment .

Software developers and potential attackers have different priorities and focus areas . Software developers' focus areas include implementing business logic ; Fix software defects to meet quality requirements ; Ensure that the functions or solutions they implement meet the internal practicability 、 Availability and performance indicators or service level agreements (SLA) Indicators in . Obvious , Software developers gain expertise in their main areas of concern . The main areas of concern for potential attackers include system and software behavior analysis , They constantly hone their skills to increase their income 、 Satisfy curiosity 、 Implement toolset 、 Reconnaissance and exploration . So again , Potential attackers can also gain expertise in their areas of concern .

Skill differences between potential attackers and software developers , Let the organization need to continuously train software developers in software security . Software developers must also understand the current and expanding attack vectors , And understand the concept of software attack surface , To avoid entering the minefield by mistake in the process of software implementation and modification . Besides , Software developers must change their minds , Incorporate software security principles and best practices into the software development life cycle , They have the same priority as the function implementation .

In development, it is now called “ Legacy ” In those years of software , Function implementation usually has the highest priority . For many software vendors , The priority of software security and function is different , And it's not part of the software development process . Under the long-term impact of this prioritization and the growing threat situation , The result is now “ Legacy ” Those vulnerabilities in the software will be discovered and exploited . Why give priority to function implementation , The reasons vary .

competition 、 Time to market and lack of attention to software security , Is the main reason why organizations cannot follow software security best practices and maintain software security development processes . Some organizations in order to better protect “ Legacy ” Software , They are allocated funds and resources , Make sacrifices in the realization of the required functions ; And because of continued attention in “ Legacy ” Software protection , May lose potential competitive advantage . Other organizations actively evaluate software vulnerabilities by examining software vulnerabilities “ Legacy ” System . For all that , Completely patched in the code base 、 Upgrade to the latest and safest or before being abandoned , Legacy software will be fertile ground for vulnerability exploitation .

junction On

Software is one of the most commonly used attack media for potential attackers . therefore , Many organizations realize that , To implement and maintain a secure software development process and infrastructure , Due diligence is very important . These organizations independently and cooperatively contribute to the promotion of defense strategies in the field of network and software security . Corporate contributions include ： Create a security model and framework to describe the stage of network attack （ For example, Lockheed Martin's network killing chain ）, So that the organization can plan corresponding mitigation measures ; Set up a reward scheme , Reward for finding vulnerabilities , So that security researchers and others can make money by discovering exploitable software defects ; Contribution to the open source network security toolset ; Write a white paper on Application Security , Describe best practices and promote software security development - Security - Operation and maintenance （DevSecOps） Natural transition .

Evolving software attack vectors make it impossible for us to eliminate all software vulnerabilities before production deployment . For all that , Software developers must continue to learn about software security development . Others are focusing on using machine learning to detect software vulnerabilities , This will help speed up 、 Detect software vulnerabilities more effectively . However , Whether the result of adopting machine learning in professional field meets the expectation , Not sure yet . meanwhile , Organizations must continue to invest on the same front , Work together against potential attackers .

Author's brief introduction

Cynthia Freeney At present, he works in an organization specialized in biomedical artificial intelligence and natural language processing technology , Serve as software project manager and security officer . She has Scrum Master Certification and ISC2 Certified software security lifecycle specialist （CSSLP） authentication , And is a network security enthusiast .

Link to the original text

https://www.infoq.com/articles/emerging-software-vulnerabilities/