Finding the flaws in software

Featured eBooks
NASCIO 2025 Special Report
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
The next phase of modernization: Transparency, trust and technology that endures
Presented By Lumen
Download Now
OpenText Core Data Discovery and Risk Insights
Presented By Carahsoft
Download Now
By William Jackson,
GCN

By William Jackson,
GCN

|

Tools that analyze code or examine the behavior of an application can improve the security of software, although no tools can find every problem.

Quote: “If you don’t ask for secure and reliable software, you’re not going to get it,” Stan Wisseman, Booz Allen Hamilton

Everyone agrees that the software quality should be improved -- from the system administrator whose network has been compromised to the home user whose PC has crashed. Major software vendors are on board the software assurance train, too. Microsoft and Oracle, for example, have programs to improve their product development.

So why are there still so many problems in software? Brian Chess, founder and chief scientist of Fortify Software, cited two problems: Technology, which is impossible to solve, and social practice, which is even harder.

On the technology side, no tool will ever be able to completely assure the absence of vulnerabilities, Chess said.

The math is complex, but “from a computer science point of view, it is a provably impossible problem” to solve, he said. “This turns it from a scientific endeavor to an engineering endeavor. We know we can’t be perfect, so how close to perfect can we be?”

On the social side, too many people involved in software development have not been paying attention to security for too long. “People have been writing code for 50 years, and until recently security was not a part of their job description,” Chess said.

Software developers are not necessarily being negligent or incompetent when weaknesses that could lead to malicious exploits creep into their code. Weaknesses in the code often are not readily apparent, and many get propagated as snippets of existing code are incorporated into multiple applications. Tools that analyze code or examine the behavior of an application can help spot these problems, but on their own they are insufficient.

“For several reasons, no tool can correctly determine in every conceivable case whether or not a piece of code has a vulnerability,” the National Institute of Standards and Technology said in the document specifying minimum requirements for source code analysis tools. “First, a weakness may result in a vulnerability in one environment, but not in another.” And theoretical limitations of analysis tools aside, “practical analysis logarithms have limits because of performance and intellectual investment.”

But even the imperfect tools that are available are seldom used to best advantage. In government agencies, security requirements too rarely are priorities in software development, and best security practices are too seldom applied in the development life cycle, said Steve Lavenhar, an associate at Booz Allen Hamilton. Security controls in government regulations focus on network issues, and software development typically is focused on functionality, he said.

“You’re dealing with a security mindset that is not focused on software,” Lavenhar said. “You don’t have a clear and well-defined basis for developing software from the beginning.”

Stan Wisseman, a senior associate at Booze Allen, said most software development still is on the front slope of the awareness curve. “You keep running into folks who just don’t get it,” he said.

However, Lavenhar is not a pessimist about software assurance. “If you look at where we were five years ago, things are a lot better,” he said. In the last two years, tools for evaluating the security and reliability of software have begun to mature, although even at their best, “no one tool is going to find everything.”

The scope of the challenge should not discourage programmers from trying to improve the quality of software, Chess said. “If people don’t have the will to try, you don’t make any progress.”

There are two basic approaches to code analysis: static and dynamic, each with its own strengths and weaknesses.

Static analysis analyzes at the source code, if it is available, and looks for potential problems. “You are going to get complete coverage and examine every line of code,” Chess said of this approach.

The downside is that the tool might not recognize every problem, and not all of the weaknesses it does identify will be significant. Another problem is that static analysis does not identify problems in the architecture of the software, Lavenhar said. A static approach might identify vulnerabilities in the code itself but miss problems with the way the code is put together and executes.

Dynamic testing, on the other hand, examines the behavior of a program while it is running and looks for problems. “You get very tangible results,” Chess said -- when you see a problem, you can be reasonably sure about how significant it is. “The downside is it is hard to get good coverage,” because a test situation cannot duplicate all of the states in which a program will operate.

The best bet is to use a combination of tools, with a variety of static analyses to identify possible problems, and dynamic analysis to prioritize those problems based on the behavior they create in the program.

In its special publication 500-268, “Source Code Security Analysis Tool Functional Specification,” NIST has spelled out the basic capabilities a code analysis tool should have, identifying 21 basic weaknesses -- from the Common Weakness Enumeration database maintained by Mitre -- that each should be able to identify. But the ability to identify a given weakness is not the only measure of how well a tool is working. There is a tradeoff between false negatives and false positives for which each tool must be adjusted.

“Since no tool can be omniscient, a tool may be written to be cautious and report questionable constructs,” the NIST document states. “Some of those reports may turn out to be false alarms or false positives. To reduce wasting users’ time on false alarms, a tool may be written to only report constructs that are (almost) certainly vulnerabilities. In this case it may miss some vulnerabilities,” or produce false negatives.

A tool that produces neither false positives nor false negatives is impossible, even in theory, NIST says. “Tools may use a combination of approaches to balance performance, false alarms and missed vulnerabilities.”

Because tools by themselves will not achieve the goal of reliably secure software, the Homeland Security Department’s Software Assurance Initiative has made technology only one of four main pillars of the program. The others are people, process and acquisition. People must be educated to produce reliable software, and processes must be put in place for developing and testing software to ensure its quality. But some observers say that software assurance is as much an acquisition issue as anything else.

“If you don’t ask for secure and reliable software, you’re not going to get it,” Wisseman said.

“This really is an acquisition problem,” said Jack Danahy, chief technology officer of Ounce Labs, which produces source code analysis tools. Requirements for security functionality and quality have to be spelled out. This is what the Defense Department and some other agencies are beginning to do, and vendors are becoming more proactive about the quality of their programming as they see these requirements in their contracts.

However, controlling the development of software throughout its lifecycle is complicated by the fact that most software written today is actually a patchwork of new and existing code, which interacts with additional code that often lies outside of the application.

“The applications aren’t homogenous,” Danahy said. “They are not one whole. There are a lot of component pieces that feed into it.”

As a result, ensuring the safety and reliability of that code becomes more difficult because it often comes from multiple sources.

“There are few organizations that write everything from start to finish,” said Peter Vescuso, vice president of business development for Black Duck Software. “It’s not competitive. Why reinvent the wheel?”

Back Duck’s Code Center tool is a platform for managing a heterogeneous environment by identifying open-source code that is incorporated in many applications. Open-source projects are gaining popularity as a source of reliable functional components that can be plugged into applications. There are hundreds of thousands of open-source projects and tens of billions of lines of code available for reuse.

A good argument can be made that because of the open nature of the development process and the number of eyeballs scanning the source code, open-source software is more secure and reliable than proprietary software. However, the quality, reliability and licensing requirements vary from one application to another, and from one version of an application to another. Code Center can identify the source of code in an application and back it up with a database with metadata to help manage the different pieces throughout the application’s lifecycle.

This does not guarantee security, but being able to identify the source of the code in an application can help in evaluating it.

Despite improvements in recent years in the quality of software and the ability of developers and users to evaluate it, software assurance remains an elusive goal.

“We’re making a lot of progress, but we’re still at the beginning of having the tool set that will address the problem,” said Booz Allen’s Lavenhar.

For the time being, the best advice for users is caveat emptor, Chess said. “It is up to the customer to assure that the person supplying the code understands the security concerns of the customer.”

NEXT STORY: CES' practical approach

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.