Researchers recently highlighted a remote code execution flaw in the MediaWiki Web platform, only the third such vulnerability to emerge since 2006. Security firm Check Point reported the issue to WikiMedia, and a patch was issued in about 45 minutes, Network World reported. Although there was no evidence that the flaw had been exploited, it could have potentially become a major zero-day threat, given Wikipedia's place as the sixth most-visited site online. WikiMedia's strong security track record is a solid indication of the power that open source code and constant vigilance can have on security, but it also underscores the possibility that even the most mature applications may be overlooking basic software security holes, Check Point's Shahar Tal noted in a recent InformationWeek column.
Keep it simple
Recent years have seen a rise in increasingly complex threats that have prompted developers and security professionals to take advanced precautions, Tal explained. With more sophisticated attacks on the rise and vigilance high as attackers carry out distributed denial-of-service attacks, international bank heists and more, it can be easy to neglect the same basic issues that have been plaguing applications for years. For instance, although they've historically been one of the biggest problems for software security, SQL injections continue to be a cause of data breaches and a source of interest for hackers.
"Some input validation vulnerabilities tend to go unnoticed because the exploitation techniques are not particularly new or technically advanced," Tal wrote. "This presents an attractive target, since attackers are always looking for the path of least resistance. It's akin to putting up the 'Beware of Dogs' sign, keeping a big dog in the backyard, arming your sophisticated home protection system with mobile alerts, bolting the front door, locking the back gate, and then leaving one of the front windows open. Sometimes those simple, obvious entry points are the most lucrative for criminals – and the most overlooked by developers and site owners."
Tal also warned that it's easy to become complacent about software security, particularly if the application has a strong track record, like MediaWiki. Complacency, familiarity and focus on advanced threats can all lead to developers missing important details, which is why tools like static analysis software can be so important. By implementing automated source code analysis, developers can be sure to catch minor errors as they are writing code, preventing them from overlooking security basics.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.