The news of software security incidents is neverending, as hackers are constantly finding new, neglected snippets of developers' code to exploit. Often, these highly publicized security holes, which lead to problems like buffer overflows and man in the middle attacks, are the results of simple, easily avoidable errors. A recent SC Magazine article from application security consultant Paco Hope highlighted some of the common steps that developers can take to prevent these problems, including:
Input validation: According to one thorough analysis, buffer overflows have been the top software security vulnerability over the past 25 years. Although such errors have generally declined since their peak in 2006, they experienced a small uptick in 2012, indicating that developers still have a long way to go toward making sure their code does not contain the potential for input errors. The solution, according to Hope, is to be "incredibly pessimistic and pedantic" and to avoid taking shortcuts. By double- and triple-checking code – ideally with the assistance of source code analysis tools – these errors can be easily caught and avoided.
API validation: Recent years have seen an explosion of APIs as the concept known as the Internet of Things has taken off. But as more devices become connected, new security issues are introduced, particularly with regard to the APIs that do the connecting. Authorizing access to API data is a key point of concern for securing the world of connected devices, Hope noted. While shifts are underway to generally improve coding standards around Internet of Things devices and APIs, this area will be a key focus of software security concerns in the coming years.
Output encoding: Poor oversight of application outputs can easily introduce bugs simply through formatting errors in code. Even worse, such issues can enable man in the middle attacks, letting attackers change commands and carry out malicious or improper actions, according to the MITRE Corporation. However, it's also often relatively straightforward to catch these problems.
"This weakness can often be detected using automated static analysis tools," MITRE's website notes. "Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives."
In general, better testing is one of the best tools developers have at their disposal in each of the specific cases above and more, Hope noted. Nonetheless, many companies tend to have fairly cursory testing processes, often focusing on penetration testing and checking to make sure functions complete as expected. One of the most valuable improvements is to involve more human elements, which can be achieved through approaches like peer code review.
Ideally, companies will employ a broad variety of software security testing techniques, ranging from source code analysis to having developers throughout the organization check each others' code. As small checks and seemingly minor errors continue to be a thorn in the side of many software companies, however, using the full range of these options is critical for meeting secure development expectations.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.