They Say They Want a Revolution
Educational institutions churn out computer science degrees to fresh faced graduates bursting with new ideas and skills to match, but how well do they hammer home the need to write software securely?
Judging from the massive number of software vulnerabilities found each year, not very well at all. MITRE Corp., a nonprofit company maintaining one of the most authoritative catalogs of software security vulnerabilities, tracked more than 7,000 software security flaws in 2006, many of them Web application holes. Steve Christey, editor of MITRE's common vulnerability enumeration (CVE) database, said most of those bugs could have been found and squashed "very easily, using techniques that require very little expertise."
Programmers can't be expected to catch every single flub, but consider the evidence collected by Rohit Dhamankar. He spends hours poring over the CVE database in his role as senior manager of security research at security vendor TippingPoint. Dhamankar found that about 85 percent of those security flaws stem from three well-understood and avoidable programming errors.
The most common of the errors occurs when applications or Web sites accept input from the user -- usually from something like a search box or e-mail form -- but do not properly filter the data to remove or prevent potentially malicious code. Attackers often use the lack of such precautions to force Web sites to cough up customer data from their back-end databases.
Bad guys also can use poor input filtering to exploit "cross-site scripting" vulnerabilities or XSS. These flaws allow crooks to bypass security controls or conduct sneaky attacks against Internet users through their Web browser.
Phishers love cross-site scripting flaws. They can employ them to make their scam sites more convincing by forcing a targeted financial institution's Web site to load content from a site that the attackers control. In such a scenario, phishers send e-mail lures that instruct recipients to click on a link and update their account information. Instead of directing them to a purely fraudulent site -- such as the hacker's copy of a real login form -- the link puts the visitor on the bank's actual Web site, giving it a legitimate URL. The page, however, has been manipulated to display content controlled by the attacker.
Last year, phishing gangs were spotted using a cross-site scripting flaw on PayPal's Web site to trick people into revealing their login credentials. Around that time, Security Fix worked with Secure Science founder and phishing expert Lance James to locate dozens of cross-site scripting flaws on the Web sites of major financial institutions.
Cyber criminals also can use cross-site scripting to directly attack third-party Web sites. Security Fix spent most of the weekend camped out at the ShmooCon hacker conference here in Washington. One of the more unnerving talks came from Billy Hoffman, a researcher with Web site vulnerability company SPI Dynamics. Hoffman showed how attackers were able to dupe users into visiting a specially crafted link. The attackers then could use cross-site scripting to force the user's browser to silently scan any public Web site for known security holes.
Jacob West, manager of software security research at Fortify Software, said the root of the problem is that companies and universities are teaching employees and students how to write insecure software.
"Take your favorite Web programming text, flip forward in it until you find some code: that will be a security flaw, almost undoubtedly," West said. "The reason for this is we teach people how to build software but we do it in the simplest way possible so that the programmer can achieve the feature they're interested in on-time and on-budget."
MITRE's Christey agreed. "This is the sorry state of software today. Most educational institutions have failed to teach the most fundamental skills in making secure products. There needs to be a revolution."
He may get one soon. Christy's remarks came at a press conference in Washington today detailing a new initiative involving more than 360 companies, government agencies and colleges to help software developers, programmers and students improve their knowledge of secure programming techniques.
The initiative is being spearheaded by the SANS Software Security Institute, which this year plans to offer a series of tests designed to measure an individual's ability to identify software programming errors that contribute to security holes.
SANS Research Director Alan Paller said the tests should help companies better evaluate consultants and candidates for programming jobs, allow programmers to identify gaps in their security knowledge, and give universities an incentive to include secure coding classes as a requirement for computer science, engineering, and programming degrees.
SANS offers training and certification programs and these tests likely will generate new business for the company, but SANS is planning to make publicly available the set of criteria that people will be tested on. SANS and representatives from SPI Dynamics soon will be embarking on a 40-city tour to promote the program. So far, more than 20 universities nationwide have expressed interest in hosting the exams, Paller said.
The comments to this entry are closed.