Example essay

GUEST ESSAY – The role of automation in protecting software from malicious and unintended use

Writing a code can be compared to writing a letter.

Related: Political apps promote division

When we write a letter, we write it in the language we speak – and the language the recipient understands. When writing code, the developer does so in a language that the computer understands, that is, a programming language. With this language, the developer describes a program scenario that determines what the program should do and under what circumstances.

If we make errors or typos in the text of the letter, its content is distorted. Our intentions or requests can be misinterpreted. The same thing happens when the developer makes mistakes in the code, inadvertently leading to vulnerabilities.

Then, the system operating scenarios become different from those originally intended by the software developer. As a result, the system may be brought into a non-standard state, which was not intended by the software developer. Thus, an attacker can manipulate these non-standard conditions for his own purposes.

As an example, let’s take SQL Injection, one of the most well-known methods of online application hacking. Suppose we have an online service, an online bank, for example. We enter our username and password to log in. In an SQL injection attack, the intruder inserts malicious code into rows that are sent to the server for analysis and execution. With a user account, the attacker can bring the system into an abnormal state and gain access to other users’ accounts.

Of course, the developer never intended the system to be used in this way. Yet, while writing the code, the developer made mistakes that led to the vulnerabilities that made such abuses possible.

More code, more risk

Chernov

Information systems are becoming more complex, therefore, the amount of code is also increasing. A new mobile application, for example, requires as many lines of code as a 15-year-old child Linux kernel. At the same time, developers rarely write code from scratch these days. They insert the ready-to-use pieces of code, i.e. the assembled microservices into software containers, and then add another 10-20% to create the new application.

In turn, the greater the amount of code, the greater the risk of errors that will lead to vulnerabilities. To prove it, I will tell you about an interesting case. We have tested a thousand popular mobile applications on a set of parameters, compliance with which, according to our estimates, determines the security of the application.

It turned out that the average level of security is 2.2 points out of the maximum of 5. The only thing that saves applications from massive attacks is that exploiting vulnerabilities in mobile applications without delving into their server part is enough costly and time-consuming. That’s why not all attackers are ready to do this.

Continuing the analogy of writing texts, in the past, when an author wrote a book or a journalist wrote a newspaper article, their texts were necessarily proofread by a proofreader, a person who checked errors and inconsistencies. Today, editors still exist, but their work has become optional.

The role of automation

The thing is, people have learned to partially computerize this work, building in automatic checks into computer programs for errors and typos. These automatic checks have gradually become more complex and thorough. Now the special software checks style and semantics, as well as spelling.

The same thing happened to writing code. We have quite smart systems such as program code analyzers that can detect inconsistencies, vulnerabilities and violations in written code.

They can be used in two modes depending on the amount of code. If the amount of developed code is small, you can run the check manually. If we are talking about multi-level code development involving hundreds of developers and the amount of code written is several tens of thousands of lines per day, it is much more efficient to run secure development processes (DevSecOps, Secure SDLC) with a code analyzer. as their core.

If to explain the mechanism of such processes through the above analogy, imagine a whole working group of proofreaders. They have a hierarchy and algorithms defining the respects of sequence proofreaders during proofreading, the requirements a text must meet and the cases in which a text must be sent for revision. The same goes for secure development processes and software before release.

This is the world of software vulnerabilities we live in today. It takes vigilance and diligence to stay safe.

About the essayist: Dan Chernov is Technical Director of DerSecur providing LastScannera static application code analyzer capable of identifying vulnerabilities and undocumented features in Google Android, Apple iOS and Apple macOS.

*** This is a syndicated blog from the Security Bloggers Network of The Last Watchdog written by bacohido. Read the original post at: https://www.lastwatchdog.com/guest-essay-the-role-of-automation-in-keeping-software-from-malicious-unintended-usage/


Source link