:: extra ::

It's easy to visualize a world where you can actually trust the software you use. In fact, a lot of people try to pretend they live in that world right now! While the end state is easy to imagine, a lot of organizations have a lot more trouble figuring out how to exit the start state. In other words, what do you do first? How will you know if you're making progress? How do you know when you've arrived?

We're going to try to answer some of those questions by creating a maturity model for software security. Based on a first draft created largely by Pravir Chandra, we've set up a software security framework. Check it out here.

Now the data are starting to roll in. Gary McGraw, Sammy Migues, and I just finished our first round of maturity model interviews. We're talking to the people in charge of some of the most successful initiatives in the world and mapping what they've accomplished into the framework. We've got a huge amount of work in front of us, but the results are already fascinating.

By Brian Chess on Oct 30, 2008 | Permalink

McGraw has published his roundup for the software security space in 2007. Lots of juicy numbers. Here it is.

Mark 2007 on your calendar--it was a turning point. It was the first year there was a bigger market for products that help you get code right than there was for products that help you demonstrate a problem exists.

By Brian Chess on Aug 12, 2008 | Permalink

Last week, Fortify published a study on adoption of security best-practices within the Open Source community. Given mounting risk posed by extensive use of Open Source technologies within business and government IT, we were gratified to see the passionate discussions that followed. Unfortunately, much of that debate was simply a rehash of tired old themes that we must move beyond to make substantive progress in assuring security of Open Source software. These debates reveal the underlying problem: a lack of understanding and collaboration between developers and security experts – today each are talking past each other when it comes to security.

Three all-too-familiar debates have resurfaced:

1) The naïve notion that a software package’s "Open Source" or "Commercial" basis will somehow have an impact on whether it is secure or not.
This week the old "Open Source (or Commercial) software is more secure" feud rose again. The fact is, any development team that accepts security as an engineering objective can deliver it just as they can functional, quality, or performance objectives. Security is a choice not a birthright. It does not come 'for free' because of the way you license your product. However, if security objectives are not clear and secure development methodologies are not in place, it’s a pretty safe bet that security problems will result. Does the Open Source or Commercial software world have an exclusive on building things right? Of course not. Over the last decade, Fortify, has worked with hundreds of development organizations establishing, and in many cases, defining, engineering processes that assure application security. Originally limited to the elite world of global banking and military, we now see a broad range of organizations joining these ranks. Ironically, this is an area where the IT development community is ahead of both the Commercial and Open Source, leaving neither bragging rights on which is most secure.

2) The erroneous idea that eliminating security flaws is a distraction and somehow less (or more) important than tackling functional, quality or performance issues.
We have heard the argument that vulnerabilities are just another bug in the code. Emblematic of this viewpoint was Linus Torvald’s recent rant. The fact is, Quality and Security are not the same; both important, but not the same. Poor quality is obvious to the user who genuinely wants your software to work. Security is an invisible property to all but an expert who is intent on harming your system. QA is a positive testing exercise (ensuring software does what its supposed to do) focusing on the "mainline" placing less emphasis on "corner cases". Security Assurance is often a negative testing exercise (ensuring software does not do what it is not supposed to do) where the corner cases are certain to be explored by an attacker. Quality Assurance depends heavily on alpha, beta, and GA users to report problems. Outside of a small group of security researchers, there are few cases of hackers filing bugs on vulnerabilities. I could go on for several pages, but I think the point is clear: quality and security (and performance, and features for that matter) are important and should be represented equally in a sound engineering practice.

3) The reflexive accusations that any security comments on Open Source software is an affront to the entire Open Source movement and similar to "yelling fire in a crowded theatre".
There are definitely case of bad behavior with security "researchers", with no intention of fixing problems, pointing out specific vulnerabilities for a taste of short lived fame -- what Marcus Ranum calls, "vulnerability pimping." Developers naturally react negatively to this kind of grandstanding. Unfortunately we have also reached a state where even the most rational productive discussions around security and Open Source result in a loud cry of foul. The best of these discussions sound like a mother nagging a teenager to clean their room. That must change and become a collaborative inquiry into how we can do better. This starts with development organizations taking responsibility for security and security experts productively helping them achieve their goals.

As the sponsors of Java Open Review, Fortify supports the ongoing security assessment and remediation of over 100 open source projects –without publicly disclosing a single issue. We do this because we have a vested interest in ensuring that 3rd party components used by us and our customers are secure. We use many of these components ourselves in systems with extreme security requirements. Our customers build financial systems that entire economies depend upon, military software with life and death consequences hanging on data integrity, and all build systems that are critical to their organization.

At Fortify, we know the solution is developers and security experts working together to build software right from the start. We are already working with several projects in the report and look forward to proving that security experts and software development teams can work together effectively.

By Roger Thornton on Jul 31, 2008 | Permalink

Seems like we security people don’t get to celebrate a victory nearly as often as we get to learn from defeat, so please take a moment to enjoy some good news. I’ll try to prolong the moment by saying this: I spend a lot of time telling programmers that they are no longer in a position where they can pretend that security isn’t part of their jobs, but my message is contravened by most of the training material programmers see. Whether it’s documentation a new framework, library, or platform, the standard play is to pretend that security doesn’t exist. No mention of what you need to do in order to make your code secure. No mention that security is anything other than a user name and a password. I’m happy to say that Apple is bucking this trend.

Apple opened up the iPhone for third party applications last week. That means they’re providing programmers a software development kit and instructions on how to write code for the iPhone. On the home page for iPhone development, they have a list of common coding questions such as “How do I debug my application?” and “How can my application detect motion?” At the bottom of the list is “How do I write secure code?” The answer links to a secure coding guide that discusses topics like validating input and avoiding buffer overflow as well a discussion of the security services the iPhone’s OS provides. Nice.

(In order to browse the links above, you have to register as an iPhone developer. It’s free. Go here.)

By Brian Chess on Mar 14, 2008 | Permalink

Ed Felton and the gang at Princeton have struck again! This time they've figured out how to defeat the disk encryption schemes built into Vista, MacOS X, and others. The attack works because the values held in RAM don't disappear instantly when a computer is switched off. They decay slowly over a period of seconds, and that can be extended to minutes with a little bit of coaxing. That's long enough to boot up a second OS and read out the contents of memory. After that, it's just a matter of extracting the crypto keys, and the game is over. Awesome work. Read about Cold Boot attacks on Encryption Keys.

If there's a lesson to be re-discovered here, I think it's the amazing way we end up building security systems on what seem to be solid ground (as in "computers forget stuff when you turn them off"), and only when it's too late do we find out that our premise was strong enough for trying to explain computers to someone like your old uncle Hugo, but not strong enough to adequately secure your data.

It appears to me that this attack is still too sophisticated for the average thief who steals laptops in coffee shops, but it's plenty easy for the forensics guy down at the police station.

By Brian Chess on Feb 21, 2008 | Permalink

Some inspired soul has reworked the New Face of Cybercrime trailer. Watch this. My favorite bit: the cat and the baby.

By Brian Chess on Feb 19, 2008 | Permalink

It's been a while since Brian or I posted anything about Secure Programming with Static Analysis, and Gary McGraw's mention of the book in his recent article on Dark Reading seems like as good an excuse as any. Gary concludes his post, The Truth Behind Code Analysis, with the following:

"If you’re interested in static analysis for security (and you should be), buy and read Secure Programming with Static Analysis by Brian Chess and Jacob West."

The book was also recently reviewed in a recent blog post by the folks over at the Denim Group.

And the following are just a few of the other relevant mentions it has received:

- SDTimes
- Dr. Dobb's Journal
- Sylvan von Stuppe
- Justice League (Cigital)
- SANS
- Deep Inside | Security & Tools

I've also been (pleasantly) surprised by how much interest we've gotten in the warez scene. I won't post those links, however.

By Jacob West on Feb 16, 2008 | Permalink

We don't get that many cartoons about code review, so when a new one crops up, it's cause for celebration. If you don't think it's hilarious, you need to do more code review. Many thanks to Mark Curphy.

By Brian Chess on Feb 06, 2008 | Permalink

NIST has announced what they call a Static Analysis Tools Exposition (SATE). Participating static analysis tools will be used to analyze a small set of programs selected by NIST. Eventually all of the results will be made public. I like the idea a lot, and I'm going to make sure Fortify takes part in both the C and Java tracks.

Running a bunch of programs against the same test cases might seem like a straightforward exercise, but it's not. Finding an even-handed way to examine complicated tools is tough, and the fact that NIST is emphasizing the detection of security vulnerabilities makes it that much tougher. (Tell me again, what exactly constitutes a "vulnerability" in source code?) Just browse through the steps in the SATE protocol to get a feel for the complexity involved.

To make the exercise even more difficult, everyone who makes a tool can't help but worry that they'll come out looking bad. After all, this sounds a little bit like the setup for a product review. We've seen those before. (Here's a link to the one Network Computing did in the middle of 2007: link.) Product reviews generally have winners and losers. NIST says they'll work hard to avoid these kinds of labels, but it's not going to be easy. All of this makes test case selection a touchy subject, and comparative presentation of the results is an absolute minefield.

The problems are many, but there's also a lot to be gained. Here are the three reasons I'm looking past all of the complexity and anxiety and participating in SATE:
1) People who want to run their own tool comparisons will benefit. You might like the way SATE works or you might not, but you'll be able to see what they did and where it took them.
2) Tool builders will benefit. Static analysis for security is a hot topic in both industry and academia. The results will give us a little bit of insight into which problems we've conquered and which ones require more work.
3) The security community will benefit. Being able to compare output from different tools will give us a better idea about how the tools classify code, and my guess is that we'll learn that our nomenclature still needs improvement. Better nomenclature makes it easier to talk to the 99% of humanity that doesn't think about software security every day.

By Brian Chess on Feb 04, 2008 | Permalink

It appears that a buffer overflow vulnerability in The Legend of Zelda for the Wii, and that’s all hackers need in order to run their own code on the machine. Here’s the scoop.

Pretty soon this will mean game pirating for the Wii without the need to get out your soldering iron. That’s important if you want to get people to steal games in the same casual manner they steal music. Piracy is a big deal for all modern gaming platforms because most of the money comes from software (games) not from hardware.

Apple has run into similar trouble recently. It seems that more than a million iPhones have been unlocked, and I think it’s safe to assume that it’s mostly happening using the simplest mechanism out there, a web site that exploits a buffer overflow in the iPhone. That means Apple is missing out on their cut of the phone subscription going to AT&T, and that has to hurt.
The moral to this story is this: if your business relies on the security of your software, you’ve got two choices:

• Design a system that will be secure even when people discover a few bugs.
• Make sure you don’t have even a single bug.

By Brian Chess on Jan 29, 2008 | Permalink