The Value of Secure Coding Procedures

MatrixDigitalRainI recently had a very interesting conversation with Dave Hyman of Checkmarx, who asked me how I saw the future of cyber security (or information security, take your pick). Now, as I’m sure you´ll agree with me, that’s a fairly abstract question that can go a lot of ways. My friends will confirm that I enjoy waxing philosophical discussions like that, but given what Checkmarx does with code security, that is the direction this talk went. And there really is a lot to say about secure coding practices that I feel doesn’t quite getting the limelight it deserves. Any Information Security course or lesson in Security certification will stress that security should be part of the code design practice rather than being tacked on at a later stage; I couldn´t agree more. Unfortunately, security precautions made in the coding process, which turns a design into a working product, are often overlooked and that is a mistake.

(Before I continue: I should note that I am NOT a professional coder; if I make a mistake in my reasoning, please let me know.) In a paper I once wrote I referred to “industry standard” with regards to the amount of bugs per line of code. The argument being that as long as humans would keep writing software, the ´human element´ guarantees that we will always remain vulnerable to exploitable bugs and errors in code. Of course not all bugs lead to exploitable vulnerabilities, but a percentage will and that is a problem and a great risk. I dug up my source, a book called Code Complete by Steve McDonnell. The book points out that the Industry Average is about 15 – 50 errors per 1000 lines of code (The book was published by Microsoft Press, I am sure you won´t find it surprising that they mention that Microsoft applications have an average of 10 – 20 defects per 1000 lines of code). To put that in larger application perspective, Microsoft´s Windows 7 is estimated to have roughly 50 million lines of code; this means that if they adhered to the industry average, there are between roughly 750,000 to 2,500,000 defects in Windows 7!

Even if Microsoft´s code quality is well reviewed and above standard, we can estimate between 500,000 to 1,000,000 code errors in Windows 7! Any one of these could be mistakes that allow remote code execution, which is considered the jackpot for anyone trying to hack their way into the system. Mind you, these are just mistakes and mistakes will happen no matter what you do. A good quality control program should be able to detect and reduce this number of detected errors. Some/ Many of these code errors will lead to heavy security risks in the application and to the user. These coding errors are due to careless coding practice and inability to detect vulnerabilities. The code may function, but the code will be insecure. An excellent example of this is SQL Injection. SQL Injection is the ´art´ of being able to run SQL statements directly to the database backend of a website, either by using a form field or the URL box in the browser. By doing so, you can ask questions of the database that you really shouldn´t be allowed to ask, such as asking it to tell you all the usernames and passwords in the database. Or more commonly: all the credit card information of every customer in the database. This has been around since 2002 and there are several solutions available that prevent SQL Injection attacks. The fact that this technique is still responsible for the majority of major successful data breaches tells us that not everyone is aware of how proper coding technique can prevent SQL Injection attacks.

Many buffer overflow or buffer underrun vulnerabilities are also caused by not properly setting boundaries, which can be easily prevented by developers being more aware of secure coding techniques. Review of these techniques and code review solutions are what you can expect to learn at “secure coding” courses. We should seriously consider making these courses part of the norm for hiring programmers or developing programming talent. Many people will groan and protest at that statement, because it’s another burden on an already stressed industry. I agree that it is not the easiest way forward but courses and code review solutions may very well be the cheapest method to getting more secure software applications.

A secure coding class is one-off and relatively inexpensive, it beats having to actively hunt for and patch insecure code. Such an effort for secure coding must come from the software development industry itself. The end customer won´t ask secure coding because most look only at software ability cost. The customer trusts us that product is secure, and we as an industry, should accept our responsibility and enforce higher security standards on our products. This starts at practicing secure programming. At the rate we are adopting technology into our daily lives, we should start sooner rather than later.

PFC Parts’ Delectable Cyber Security Shopping List

Over the last two years I’ve seen several outcries over the supposed great shortage in capable Cyber Warriors. But what does this mean, in terms of required skills? Most articles seem to ask for quite a lot; their Cyber Warriors seem to be required to be able to defend their networks (CND in military parlance), attack their adversary’s network (CNA), engage in Cyber Espionage (CNE), reverse engineer malware and probably a bit more. I found it hard to get a single answer, but SANS seems to agree with the previous list. At least, they do if you go by their Cyber Guardian program, which is essentially a group of SANS certs stacked together. But realistically: Do you really need such heavily certified people at every position? And that’s not even going into the deeper issue of how capable these people actually are. After all, they may well have gotten through all these exams by just being really good studies (rather than actually understanding the material).

An article at NPR quotes a James Gosler who is, apparently a ‘veteran cybersecurity specialist who has worked at the CIA and the NSA’ though they don’t explain what standards they used in determining his skills. In the article Gosler states that the US would need between 20.000 and 30.000 cyber warriors. Its a number that keeps coming back, but its not really elaborated on in the article.

A study done by the US Center for Strategic and International Studies (CSIS) also speaks of a human capital crisis in Cyber Security and may offer some insights that can also be used outside of the US, though of course the numbers will vary. CSIS uses roughly the same numbers as the article but mention that there are a variety of people and skills involved. From the appendix in the report we learn that CSIS found a shortage in the following roles:

High Priority
Systems Operation and Maintenance Professionals
Network Security Specialists
Digital Forensics & Incident Response Analysts
Information Security Assessors

Medium Priority
Information Systems Security Officers
Security Architects
Vulnerability Analysts
Information Security Systems & Software Development Specialists

Low Priority
Chief Information Officers
Information Security Risk Analysts



Cyber Deterrence – Methods & Effectiveness

The term “Cyber Deterrence” is gaining traction lately, with regard to the act of deterring cyber attacks. I’ve seen at least one author (Richard Clarke) use it in his book about Cyber Warfare. In many cases the proponents of this term invoke existing Deterrence Strategies such as the MAD doctrine that was used to prevent Nuclear weapons during the Cold War, and use it as a model on Cyber Warfare.

As part of a Cyber Warfare course I am following, I was asked to write a research paper about Cyber Deterrence. In it, I was to research and analyze the proliferation of cyber capabilities and discuss cyber deterrence and their likelihood of success. I was to specifically address traditional methods of deterrence including trade sanctions, import and export restrictions and other economic sanctions. After I started seriously working on this paper, I realized that all the sanctions in the world weren’t going to apply to cyber warfare; a capable attacker would never give you a target to retalliate.

I changed direction and, because I didn’t want my paper to become a carbon-copy of Martin Libicki’s “Cyber Deterrence and Cyberwar” (RAND Corporation), I took a different approach that breaks Deterrence Theory in three parts. The assignment was very clear in the amount of data it was to contain, so it’s fairly brief, but it covers the salient points well enough that I decided to upload the resultant work here on Argent

Please find the Research Paper here: Cyber Deterrence – Methods and Effectiveness

UPDATE: Modified the paper at the request of the reviewer. Above link has been changed on Jan 13, 2011 at 11.00AM.