Risk
3/31/2011
12:09 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Blames Poor Development Practices For Security Risks

Windows and Internet Explorer are at greater risk of attacks because developers don't use mitigation technologies built into the software, said Microsoft.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Too few applications and browser plug-ins are implementing attack-blocking security mechanisms built into Windows and Internet Explorer.

Microsoft made that assertion in "The SDL Progress Report," released Wednesday, which details the evolution of the company's security development lifecycle, used internally, as well as the uptake of mitigation technologies that Microsoft makes available to developers.

Two of those mitigation technologies are Data Execution Prevention (DEP), which helps prevent attackers from executing arbitrary code, and address space layout randomization (ASLR), which makes it difficult for attackers to locate objects, such as DLL files, that they might use to create a successful exploit.

But when Microsoft studied 41 of the most popular and latest consumer applications -- from Microsoft and others -- it found that while 71% of applications fully enable DEP, only 34% of applications fully enable ASLR. Furthermore, 70% of surveyed browser plug-ins don't implement ASLR, while only 20% of surveyed security products fully implement ASLR. As a result, those products and plug-ins, and by extension also IE and Windows, are at greater risk of attack.

Poor uptake of DEP and ASLR might be less of an issue if more organizations pursued secure development practices, which would independently help organizations avoid many of the bugs that DEP and ASLR attempt to block. Yet many organizations don't factor security into their software development lifecycle, which leaves their code at greater risk of being exploited by attackers.

Blame ignorance. "Awareness of security development practices is pretty low, and unfortunately if it's low, that gives criminals a potential advantage," said David Ladd, principal program manager for Microsoft's SDL group, in an interview. "That said, the business decision-makers we've talked to who are aware of security development processes, they need some assurance of ROI."

Secure development -- aka security development -- offers excellent ROI, or return on investment, said Ladd. For example, the average cost required to mitigate and fix a security issue, based on a 2010 report from Aberdeen Group, is $300,000 per vulnerability, per incident, he said. Compare that to the average cost of running a security software program in a development organization, which is $400,000 per year. "So at that point, a single security issue . . . nearly offsets your entire investment in the secure development software lifecycle," he said.

Here's an example of secure development at work: At the PWN2OWN 2011 contest held earlier this month at the CanSecWest conference, security researcher Stephen Fewer of Harmony Security chained together three vulnerabilities -- two for code execution, and another to escape IE's protected mode sandbox -- to successfully exploit the target machine via IE8.

But in the course of IE9 development, said Ladd, Microsoft had already independently identified and eliminated two of those bugs from the IE9 code base, which he offered as proof that taking the time to review code for security errors is a worthwhile pastime. "The reason we caught those two was not because of luck or serendipity, but because we did our homework and found out what the problem was," he said.

In other words, practicing secure coding techniques requires upfront investment, but produces results. "If people want to have a safer computing experience, then they need to invest up front to make sure the proper things are done to ensure security, for when it comes time to do business on the Internet," said Ladd.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.