The Future of Secure Programming
In this article, we will examine the current secure programming practices used by many developers and why these techniques continue to fall short.
Join the DZone community and get the full member experience.Join For Free
Recently, cybersecurity and Application Security (AppSec) have become two of the most publicized topics in news reports — and for a good reason. Since 2013, hackers have breached 3 billion Yahoo and 500 million Marriott user accounts and stolen the sensitive information of 21.5 million security clearance applicants from the US Office of Personnel Management (OPM). These astronomical numbers do not include the disclosure of credit card and other financial information of hundreds of millions of shoppers at Home Depot, eBay, and Target.
Astonishingly, most of these compromises could have been prevented with simple preemptive measures. As with most software defects, the cost of removal grows exponentially the longer a defect persists after implementation. In practice, many of the security defects that lead to compromises originate during implementation, which means that developers are in a precarious situation: they have the power to stop security defects — which can lead to compromises — at the source. Failure to do so leaves developers responsible for substantial damage to businesses and their customer
In this article, we will examine the current secure programming practices used by many developers and why these techniques continue to fall short. Leveraging this knowledge, we will then explore some of the future research and technologies that will provide developers with the tools necessary to ensure that applications are secure at inception.
Programming secure applications means that developers are responsible for being knowledgeable about basic best practices and enforcing them when creating code. According to both the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU) and the Open Web Application Security Project (OWASP), basic secure programming can be distilled into a few fundamental tenants, including:
- Validate input from all untrusted data sources.
- Bulkhead different parts of the system.
- Deny all access by default.
- Use mature, well tested security libraries.
- Keep the design of the system simple.
The first step in effectively applying these principles is to understand them from both a theoretical and pragmatic viewpoint; the second step is using them consistently. These steps sound easy, but in practice, we often fail to apply them at the nuts and bolts level.
For example, how often do we check that input data is formatted in a standard character set and does not contain a nefarious command? How often do we use outdated packages or libraries because the cost of upgrading them is too high? How often do we push less-than-stellar code for the sake of meeting a deadline? Even when we try to apply these practices consistently, our aspirations are not enough to ensure that our applications are entirely secure.
Secure Programming Practices Are Not Enough
These practices are useful for ensuring a secure system, but the practical limitations of time and cost — as well as our fallibility as developers — ensure that even with the best intentions, we do not strictly adhere to best practices and we inevitably introduce vulnerabilities into our code.
The first step in effectively applying these principles is to understand them from both a theoretical and pragmatic viewpoint.
Just as with functional correctness, we need help ensuring that the code we write meets our desired specifications. When creating new functionality, we write automated test cases that confirm the code does what we intend it to do. In much the same way, when we write secure applications, we need scaffolding to ensure that we have securely implemented the code. The absence of these tools is the equivalent of coding a feature without tests — hoping that we implemented a new feature correctly on the first attempt.
While automated tests can significantly aid in ensuring we implement some of the best practices — such as creating a test case that assesses whether a module can reject malicious input — more specific tools are needed. In most cases, this means the use of static analysis tools.
Static analysis tools inspect the code of an application, looking for obvious problems, such as passing unverified input as a parameter to a SQL query or writing characters to a buffer that may cause an overflow. Although valuable, static analysis has two drawbacks: it often reports false positives and is only useful at preventing known vulnerabilities.
Firstly, false positives reduce the likelihood that a developer will heed reported vulnerabilities, burying true errors in a sea of useless information. Secondly, past information aids in preventing known vulnerabilities, but it does not help in preventing rumored attacks or likely attack vectors devised by hackers. Although a solution to the second issue is currently infeasible with static analysis alone — we will revisit this topic in a later section — statistical methods can help in resolving the first.
Statistically Based Static Analysis
Statistical methods can be used to prioritize the vulnerabilities in an application to ensure that the most pertinent threats are brought to developers' attention while less threatening vulnerabilities and false positives are hidden. In much the same way as medical triage highlights the most severe, life-threatening cases first, statistical methods can incorporate data from actual compromises and research on patterns of vulnerability to target the most critical liabilities.
The SEI, in particular, has done extensive research on this topic and is working to incorporate this research into tools that can identify and automatically correct common vulnerabilities. While more work is needed before this technology becomes mainstream, it has the potential to focus the attention of developers on critical weaknesses and reduce the burden of inconsequential warnings. Filtering of this type will go a long way in solving the first deficiency of static analysis tools, but another sophisticated approach is needed to address the second.
Cybersecurity, and more locally AppSec, has become a high-stakes game of attack and defense, with hackers inventing more creative strategies and developers devising more resilient and ingenious resistances to thwart these attacks. Following this pseudo-military analogy, one of the best tools for developers is intelligence. In many cases, rumors of attacks or new attack vectors are discussed on the Dark Web or even openly on forums, providing developers with a glimpse into future strategies that will be employed to debilitate applications.
Unfortunately, the amount of information available is overwhelming and differentiating pertinent threats from benign saber-rattling is beyond the capability of most experts and developers. Artificial Intelligence (AI), in the form of machine learning and deep learning, can be an effective solution to this problem.
Using AI and AI-driven secure analysis tools, developers can use the reconnaissance gathered from across the world and analyze systems for the characteristics matching existing and perceived vulnerabilities. Using existing information and rumors, AI can even make educated guesses on what types of attacks may be coming and what kind of solutions developers can implement to stop these attacks before they occur.
The SEI and IBM (Watson) have done extensive research and testing, respectively, on the use of AI for secure programming. Currently, most implementations focus on system-level security, where AI can detect intrusions and abnormal behavior; but researchers are also focusing on how AI can aid static analysis and observe patterns of vulnerable implementations to ensure developers code secure applications.
Considering the numerous data breaches in the past decade and the mind-boggling number of users effected, developing secure applications can feel like a futile endeavor. Despite these failures, forthcoming research on statistical methods for targeted static analysis and AI for intelligence gathering and attack prediction is continuously leveling the playing field between hackers and developers.
This article was originally published in our Application Security Trend Report. To read more articles like this, download the report today!
Published at DZone with permission of Justin Albano, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.