The Need For Secure Coding
The software security landscape
The quantity of software used every day is continually growing. Consumers and businesses are increasingly vulnerable to cyberattack the more they rely on technology. Most software contains vulnerabilities which leave it open to exploitation.
The average web application contains 33 vulnerabilities, including six high-severity ones. Nearly 22,000 new vulnerabilities were discovered in 2018 alone.
The massive increase of software vulnerabilities makes traditional security approaches, like patching, unscalable. Ensuring that vulnerable software doesn’t reach production requires the management of the software threat landscape. Management begins with the software developers who need to know how to recognize and remediate common and exploitable coding errors.
Common coding errors
Most software vulnerabilities are caused by a small set of programming errors. The vast number of new vulnerabilities discovered each year are mainly the same mistakes being made in different ways.
Knowledge of these vulnerabilities has been around for some time. The Open Web Application Security Project (OWASP) regularly publishes a Top Ten list of the most common vulnerabilities seen in web applications. However, the same old vulnerabilities regularly appear in new software.
Buffer overflow vulnerabilities are caused by errors in memory management and user input validation. If an application attempts to store more data in a block of memory than fits in the allocated block, an attacker can write to memory that should not be under their control.
Integer overflows and underflows can occur when a developer performs unsafe conversions between different variable types. Storing a value in an inappropriate variable type can cause it to be interpreted later as a different value.
Race conditions arise from a failure to properly use parallel processing. If the result of an application’s execution depends upon the order in which multiple threads access shared resources, an exploitable vulnerability may exist.
Format strings allow a developer to specify how text and variables should be combined within a print statement. Failure to specify a format string when printing could allow an attacker to read or modify memory.
Command injection vulnerabilities exist when user-provided data is intermingled with code before interpretation. If an attacker can have their data interpreted as code, attacker-generated commands are executed on the system.
Least privilege is a principle that states that users and applications should operate with the lowest possible level of permissions. Failure to properly implement least privilege can amplify the impact of an exploit.
Poor credential management can allow an attacker to gain access to valid credentials for user accounts. This can enable unauthorized access to sensitive data or make it possible to perform attacks against vulnerabilities that are only accessible to authenticated users.
Cryptography is essential to the proper operation of many applications. However, its complexity means that even small errors in design or implementation can render it completely ineffective and provide users and developers with a false sense of security.
SQL injection takes advantage of poor sanitization of user input to gain access to sensitive data. Like command injection, SQL queries mix user-provided data and SQL commands, enabling an attacker to have their data interpreted as command instructions.
Cross-site scripting (XSS) vulnerabilities exploit the same-origin policy, which states that scripts originating from the same location have the same permissions. This allows attacker-provided scripts embedded in a webpage to access sensitive data or take malicious actions.
Cross-site request forgeries (CSRF) trick an authenticated user to take a state-changing action on a webpage. This usually consists of embedding resources in pages that make requests to websites that use verbs embedded in HTTP URLs to describe desired actions to take on a website.
Misuse of HTTP and HTML is a common vulnerability as web developers try to use “clever” ways to implement complex functionality. Since the web page’s source code is completely under the control of the user, this can be easily exploited.
Poor error handling includes both extremes of the error-handling spectrum. Both failing to handle errors and providing too much information in error messages can provide vulnerabilities or valuable intelligence to a hacker.
Improving the state of software security
One of the main reasons that common vulnerabilities continue to appear in new software is that most developers have not received security training. In fact, over two-thirds of developers state that their organization does not provide adequate training on application security.
If developers are unaware of the common types of vulnerabilities and how to detect them in their code, then these same vulnerabilities will continue appearing. Cybercriminals, on the other hand, are very familiar with these threats and have access to a wide variety of tools for detecting and exploiting them.
Identifying and remediating vulnerabilities in development is much cheaper than addressing them in production through bug bounty programs and patching. As long as developers remain unaware of basic vulnerabilities and how to detect them, the software threat landscape will only expand.
Sources
- Web application vulnerabilities: statistics for 2018, Positive Technologies
- More Than 22,000 Vulnerabilities Disclosed In 2018, Risk Based Security
- OWASP Top 10 – 2017, OWASP
- Key Considerations for Secure Coding Training, Veracode