BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Contribute

Topics

Choose your language

InfoQ Homepage Articles Insights into the Emerging Prevalence of Software Vulnerabilities

Insights into the Emerging Prevalence of Software Vulnerabilities

Bookmarks

Key Takeaways

  • A critical distinction between software bugs and vulnerabilities is that the former is often attributed to logic errors. In contrast, the latter is exploitable and can violate one or more security pillars, Confidentiality, Integrity, and Availability (CIA).
  • The most impactful contributors of exploits are a non-evolving security posture, failure to apply secure software best practices effectively, the knowledge disparity between software developers and threat actors, and insecure legacy software.
  • Since threat vectors are constantly evolving, software developers must engage in continuous learning regarding secure software development.
  • Organizations that develop and deploy software while executing against a non-evolving security posture are at risk of conflating internal compliance with an effective secure software development lifecycle process, developing tunnel vision regarding evolving threat vectors, and inadvertently increasing their customers' risk portfolio.
  • Some software developers employ a zero-sum perspective regarding potential system compromise incidents which impacts the application of software security principles such as defense in depth.

 

Software Bugs

Although there are in-roads regarding self-writing code, software development remains a hands-on human endeavor.

Therefore, the implication is that since humans are not infallible, one can reasonably predict with a degree of certainty that the products and services produced by the human effort will contain flaws of some form. Hence, software bugs are inevitable and are an intrinsic part of the software development process.

Software bugs are errors in logic and configuration that produce undesirable system behavior.

Some primary and common deficiencies in software applications include business logic errors, complexity issues, file handling issues, encapsulation issues, data validation issues, authentication, and authorization implementation errors.

The Common Weakness Enumeration (CWE) List describes common software and hardware weaknesses with associated security ramifications. The CWE provides a comprehensive categorization of possible software weaknesses.    

Within a business context, the acceptable level of software quality is often measured and assessed through comparison against internal quality and risk metrics as well as adherence to requirements, specifications, standards, and deadlines.

Therefore, a plausible argument is that software quality is subjective and influenced by business commitments, senior management engagement, and organizational culture.  

A significant focus area in software development involves maintaining a proper balance among allocated budget, schedule, scope, quality, and security. A change in one category impacts the other categories. Unplanned change management scenarios, while not desirable, are not uncommon occurrences within the software development lifecycle. These scenarios reflect the compromises organizations made regarding software quality and security to maintain budget and schedule.  

Software quality is not always an indicator of secure software.  A measure of secure software is the number of vulnerabilities uncovered during testing and after production deployment.   Software vulnerabilities are a sub-category of software bugs that threat actors often exploit to gain unauthorized access or perform unauthorized actions on a computer system. Authorized users also exploit software vulnerabilities, sometimes with malicious intent, targeting one or more vulnerabilities known to exist on an unpatched system.

These users can also unintentionally exploit software vulnerabilities by inputting data that is not validated correctly, subsequently compromising its integrity and the reliability of those functions that use the data. Vulnerability exploits target one or more of the three security pillars; Confidentiality, Integrity, or Availability, commonly referred to as the CIA Triad.

Confidentiality entails protecting data from unauthorized disclosure; Integrity entails protecting data from unauthorized modification and facilitates data authenticy. Availability ensures that systems are available to authorized users when needed and denies access to unauthorized users. Understanding the distinction between software bugs and vulnerabilities is key to formulating a holistic strategy for creating secure software and timely mitigating uncovered bugs and vulnerabilities.

Software Vulnerabilities

Recent past and present-day publicized vulnerability exploits coupled with insights afforded by the OWASP Top 10, MITRE Common Vulnerabilities and Exposure (CVE) lists, U.S. National Vulnerability Database, and other sources are telling. Collectively this information underscores how innovation in technology has outpaced the needed counter-weight for more effective measures to better detect and mitigate software vulnerabilities before production deployment. 

The most impactful contributors to facilitating the ever-growing number of software security flaws are a non-evolving security posture, the absence of effective, secure software best practices, the knowledge disparity between software developers and threat actors, and insecure legacy software.

An evolving security posture is necessary for a successful security program due to ever-changing threats. Organizations that develop and deploy software while executing against a non-evolving security posture are at risk of conflating internal compliance with an effective secure software development lifecycle process, developing tunnel vision regarding evolving threat vectors, and inadvertently increasing their customers' risk portfolio.  Reliance on internal compliance against the backdrop of a non-evolving security policy as evidence of secure software development is short-sighted.

Over time this dependency will cause stakeholders to develop a false sense of confidence regarding the organization’s capabilities to develop secure software and reduce the software development team's ability to adequately review and consider evolving threats. Unsurprisingly, these organizations are most likely to not have an effective patch management program or integrate secure software design principles during product or solution implementation. They are also unlikely to have augmented their test suites to contain security-related test scenarios or incorporated secure software development best practices into their software development lifecycle.    

Secure software development best practices are integral to a secure software development life cycle. Best practices that span secure design principles, coding, testing, tools, and training for developers and testers, facilitate proactive vulnerability detection and remediation before deployment of products and solutions to a production environment. Applying secure design principles such as "Fail-Safe", "Least Privilege", "Defense in Depth", and "Separation of Duties" where applicable bolsters application security. However, routine secure software development-related training for developers and testers must also be prioritized.   

The knowledge disparity between software developers and threat actors is growing. Reasons for this phenomenon vary, however some contributors are mindset, primary focus area, and a lack of learning opportunities. Additionally, some software developers employ a zero-sum perspective regarding system compromises. This mindset is counter to the defense in depth secure design principle and subscribes to the belief that network and device breaches are de facto "keys-to-the-kingdom" events. Thus, attempts to minimize further compromise are futile. Examples of this mindset are illustrated by the many reported data breaches against systems absent or with inadequate layered security, resulting in the theft of unencrypted personal data.  

This "zero-sum" mindset inadvertently facilitates threat actors' ability to further compromise an ecosystem by using varying techniques to navigate deeper into a network, potentially gaining access to other systems containing personal and business data. A common defense in depth measure that some software developers fail to effectively utilize is detailed manual code reviews.  These developers fail to seek or conduct manual code reviews or engage in cursory code reviews, instead having sole reliance on automated code scanning tools.  The use of an automated code scanning tool together with detailed code reviews is an effective defense in depth strategy to detect vulnerabilities, prior to solution or product deployment to production.   

Software developers and threat actors have different priorities and focus areas. Software developers' focus areas include implementing business logic, remediating software bugs to meet quality requirements, ensuring that their implemented feature or solution meets internal usability, availability, and performance metrics or metrics outlined in a service level agreement (SLA). Consequently and unsurprising, software developers gain expertise in their primary focus areas. In comparison with threat actors whose primary focus areas include system and software behavior analysis, continuous honing of skills to increase their earning potential and satisfy their curiosity, toolset implementation, reconnaissance, and exploration. Likewise, threat actors gain expertise in their areas of focus.

However, the skillset differences between threat actors and software developers necessitate continuous secure software-related training for software developers. Software developers must also be aware of current and ever-expanding attack vectors and understand the concept of a software attack surface to avoid accidental expansion during software implementation and modification. Moreover, software developers must have a mindset shift wherein commitment to integrating secure software principles and best practices into the software development lifecycle have equal prioritization with feature implementation.

During the years in which the development of what is now termed "legacy" software occurred,  feature implementation was often given the highest priority. For many software vendors, software security did not have equal prioritization with feature implementation and was not an intrinsic part of the software development lifecycle. The long-term impact of this prioritization decision and the ever-growing threat landscape is the present-day exploitation of vulnerabilities uncovered in "legacy" software. Reasons vary as to why priority was given to feature implementation.

However, competition, time to market concerns, and the absence of focus on developing secure software are front-runner reasons given for the failure to follow secure software best practices and maintain an effective secure software development lifecycle. For some organizations, allocating funds and resources to better secure "legacy" software detracts from the implementation of needed features, and could result in potential loss of competitive advantage due to a sustained focus on securing “legacy” software.  However, other organizations engage in proactive assessments of their “legacy” systems by checking for software vulnerabilities. Nonetheless, legacy software will be fertile ground for exploiting vulnerability until the codebases are sufficiently patched, modernized, or retired.

Conclusion

Software is one of the most common attack vectors used by threat actors. Therefore, many organizations realize the significance of executing due diligence to implement and maintain a secure software development lifecycle and infrastructure. These organizations independently and collectively contribute to advancing defense tactics in the cyber and software security space. Corporate contributions include the creation of security models and frameworks (e.g. Lockheed Martin's Cyber Kill Chain) that describe the phases of a cyber-attack, thereby allowing organizations the ability to plan mitigations accordingly; the sponsorship of bug bounties programs, wherein security researchers and others are monetarily rewarded for uncovering exploitable software flaws; contributions to open-source cybersecurity toolsets; and authoring application security whitepapers that describe best practices and promotes DevSecOps as a natural evolution of software security.

The ever-evolving software attack vectors belie the belief that all software vulnerabilities are eradicable before production deployment. Nevertheless, software developers must engage in continuous learning regarding secure software development. The use of machine learning to detect software vulnerabilities is gaining some traction and will help to detect software vulnerabilities faster and more efficiently. However, whether this machine learning specialization yields the desired results is yet to be determined. In the meantime, organizations must continue to make investments on the same front to collectively position themselves to provide the needed counter-weight to the actions from threat actors. 

About the Author

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT