Vulnerability Control in Software Applications

Code Defects

The IT industry is the fastest growing industry in the history of mankind, ahead of radio, television and telephony. The dynamism of changes leads to the fact that the modern education system simply does not have time to train qualified IT personnel - programmers, architects, analysts. The requirements for the competencies of such specialists are growing faster than they have time to learn. Hence the constant personnel shortage in this market, as a result, often the results of the work of IT teams have defects. Today, it is no surprise that software products of even the most famous manufacturers are often imperfect. We take it for granted and work with the software that developers give us. In turn, they, like other IT specialists, are doing their best to reduce the disadvantages.

The task of a high-class manager is the ability not only to select a team, but also to fit into budgets. Often, they do not allow hiring specialists with impeccable qualifications. In this situation, it is necessary to create such working conditions and processes for its implementation that even with an average level of competence of performers would allow to obtain results that exceed similar indicators in the market. Thus, competitive advantages are achieved.

What defects are present in the software and are they all the same? This question can be answered in different ways, building various theories of their classification. Here we present the division of software defects into classes in terms of differences in their management in the process of improving software quality in accordance with information security requirements.

The most common defect is programmer errors when developing code. Often the reason for their appearance is a lack of time or loss of attention during work. For example, a programmer develops code that, under certain conditions, must perform some actions, and in all other cases, others. The programmer pays great attention to the development of code that will be executed in 90% of cases of software execution. When it comes to handling the alternative, he gets tired, his attention is scattered, and some important aspects, such as the operator that determines the execution of a given code fragment, are only lost if the condition for the main fragment to be fulfilled is lost.

Another characteristic reason for errors in the program code is the introduction of changes to it. The developer changes one piece of code that can affect the functionality of another piece of the program. Then that functionality, the transformation of which was not supposed, becomes changed.

Typically, such errors are detected at the testing stage either by the developers themselves or by a special group of testers. To detect such errors, there are various theories and successful practices in developing test sets for technical specifications, regression tests and other methods that allow you to write a high-quality set of source data to verify a larger percentage of possible program execution scenarios.

Other defects that are more interested in information security specialists than developers are vulnerabilities. Vulnerability - a developer’s mistake that could be exploited by malicious users in order to gain unauthorized access to the management of a software application. Vulnerability is code that performs the correct actions in terms of the required functionality, but its execution has a side effect, the presence of which the programmer often may not know. The presence of such code fragments is not the result of fatigue, carelessness or lack of sufficient time for testing by the developer, as in the case of an error. Often the cause of vulnerabilities is the ignorance of programmers about the presence of side features of those language constructs,

Vulnerabilities are identified by experts in the field of code analysis, who are aware of the presence of side effects in certain language constructs. Also, many vulnerabilities can be detected as a result of testing software for information security requirements with special penetration tests. However, a more effective method for detecting them is semi-automatic static code analysis, which is performed by experts using special tools.

The most unpleasant defects in terms of detection capabilities are undeclared software capabilities (NDV). Undeclared features are the correct code in terms of both functionality and information security, so it is difficult to detect using automated methods. However, this code implements functionality that was not intended by the customer - it was introduced by the developer for his own purposes. Usually NDV are divided into bookmarks and a secret entrance (back door).

A bookmark is a functionality that is executed upon the occurrence of certain conditions and performs the actions intended by the developer. Often bookmarks are used to implicitly manipulate software. One of the most famous bookmark cases is the story of the City Bank developer. The programmer did not know what to do with the difference that occurs when rounding up the results of arithmetic operations when calculating interest on customer deposits, and did not come up with anything better than accumulating it on his personal account.

Secret entry is a code that allows the programmer to gain control over the software bypassing the rules specified in the technical task. The most often secret inputs are filled with software that is developed to order in order to be able to perform remote diagnostics of errors during the operation of the software application by the customer.

Undeclared features cannot be fully detected automatically, since such a code is correct. Experts in the field of information security find such defects through manual code analysis or using software tools to detect patterns of language structures in the source code that are characteristic for building NDV.

Where do defects in the program code come from?

Errors and vulnerabilities in program code usually appear not only due to the fact that technologies are changing, and developers do not have time to adapt to them, but also because of incorrect construction of the software development process.

Often, software requirements change faster than the IT team manages to implement them. One technical task is given, it is worked out by the architect, designers and transferred to work. But in the process, the development customer understands: the new market conditions require that the software being developed perform other functions. Despite the objections of the IT team, changes are made to the design documentation, and often directly to the code, breaking the elaborated architecture.

Another cause of errors and vulnerabilities is the complexity of the technologies used in the modern IT industry.

Developers are forced to use technologies that themselves may contain errors and vulnerabilities, as well as contribute to the emergence of new ones as a result of their improper implementation in the developed software. Modern software products are multilingual, cross-platform, the connections between the components of which they consist are so extensive that the programmer is simply not able to keep all the features in his field of attention. In addition, since software systems are developed by a team of specialists, errors and vulnerabilities often hide at the junction of components for which different people are responsible.

The appearance of undeclared features in the code is purely personal in nature and is difficult to control through the introduction of modern software development technologies. Although the practice of cross-monitoring development (before the code enters the main development branch, it must be checked by another programmer) and other organizational measures have some success. Undeclared features can be detected in code that was developed to order and where NDVs were specially introduced, it is possible only through its analysis.

Is it possible to control the presence of defects in the program code?

Today, all software that is operated in Russian companies can be divided into categories:

• Self-development is software that is developed either by the efforts of its IT team or by a third-party developer according to the technical task issued by the customer.
• Standard software developed by the Russian manufacturer, possibly customized and adapted to the business.
• Software developed by a small foreign manufacturer.
• Software developed by the global IT giant and delivered as a set of off-the-shelf modules.

Defects in software that is developed independently, it is recommended to reduce and control through the implementation of the practice of developing reliable software (Security Development Lifecycle, SDL), developed by Microsoft. One of the necessary conditions for its application is the availability of code analysis tools in the development cycle. So, at the development stage, programmers should use a tool for static code analysis, which allows detecting vulnerabilities directly during code writing. At the testing stage, in addition to conducting regression testing and testing on random data, it is recommended to use tools for dynamic code analysis that allow you to test a software product using penetration tests.

Today on the market there are several instrumental systems of code analysis, both static (using the source code using the "white box" method) and dynamic (without source code using the "black box" method). In addition, leading code analysis tools from manufacturers such as HP and IBM offer combined static and dynamic analysis, which allows you to map the results of dynamic analysis to source code. We can say that at present, the HP Fortify tool is the most effective code analysis tool that offers static, dynamic, as well as hybrid analysis in combination with a convenient interface and a good library of vulnerability search rules.

If the software is developed to order, then upon acceptance it must be checked for defects. This can be done by an internal team to control the quality of software products in terms of functionality and information security requirements. Verification can also be third-party, which involves the involvement of independent experts.

It is difficult to control vulnerabilities in software that is delivered to order, since information about the presence of defects goes a long way of checks, and then an equally long process of eliminating them follows. However, this does not mean that such software does not need to be checked and should be exploited as a "pig in a poke." It is recommended that vulnerability monitoring be performed by properly configuring perimeter security.

The key to a successful business is not an effective solution to problems, but the prevention of their occurrence. Proactive management has long conquered the world, proving its effectiveness not only in theory but also in practice. Adhering to these principles, we provide a full range of services for the analysis of software products for information security requirements:

• detection of NDV;
• vulnerability detection;
• development of recommendations to eliminate identified vulnerabilities;
• development of recommendations for protection, while developers eliminate the identified vulnerabilities;
• Building a complete development cycle of secure code (SDL).

Proactive vulnerability management in software that is operated by the business, while not only performing a serving function, but is also its competitive advantage, is the modern secret of success.

Article author: Ekaterina Troshina