Vulnerabilities / Threats

6/2/2015
10:30 AM
Kevin E. Greene
Kevin E. Greene
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Shaping A Better Future For Software Security

Industry and government leaders discuss ways to improve practices, awareness and education around secure software development. Here's a recap of what you missed.

I had the awesome privilege recently to participate in an exploratory working group (EWG) designed to help shape the future of software security and assurance and focused on accelerating the adoption of new practices to deliver software resiliency for today’s cyber-driven world.  As we have seen with many notable security breaches and incidents, poorly developed software plays a significant role in exposing key vulnerabilities exploited by threat actors.

The net effect is that vulnerable software poses a significant threat to this nation. As we rely more and more on software, the impact of security breaches and incidents will continue to rise.

The goal and vision for EWG is to "create a very succinct and concrete plan of real-world actions that are executable today for a more resilient software world.” The group consisted of invited representatives from Parasoft, Cigital, Amazon Web Services, Google, Bug Crowd, Veracode, Microsoft, Aetna, Heartland Payment Systems, the Software Assurance Marketplace (SWAMP), Kestrel Technologies, Data Theorem, Elavon, Secure Decisions, and the Open Crytpo Audit Project.  There were also several universities represented: University of Maryland, Carnegie Mellon, University of Nebraska-Omaha, University of Wisconsin, and the George Mason University.

There were four working group sessions led by industry experts:

Gaps in Assurance Tool Technologies, Bart Miller, Chief Scientist for the SWAMP

  • Capability gaps: What are the most urgent problems that current tools are not finding? 
  • Language gaps: What languages and environments are not well covered by current tools? 
  • Usability gaps: What obstacles make current tools unnecessarily difficult to use?

SWAMP Certificates: Labeling Software with Assurance Levels to Improve the Software Supply Chain, Mark Sherman, Director at Software Engineering Institute (SEI)

  • Could SWAMP be an Underwriter's Laboratory and issue a "UL" label? What would need to go into such a label? Could SWAMP check enough to at least shame the worst stuff? How could the labels be popularized so that there is consumer demand (or a financial distinction) for such labels?
  • What kinds of technical assistance can provide assurance of software components used by their consumers? How can the use of open-source components be assured? What practices can be implemented to limit the risk of insider threats in the software supply chain?

A more orthogonal encyclopedia of software weaknesses than Common Weakness Enumeration (CWE), Paul Black, Computer Scientist at National Institute of Standards and Technology (NIST)

  • CWEs were a great advance for their day. We now understand that the classes of weaknesses tools report don't match well with CWEs. Tools must extensively over- or under-generalize. And attacks are scarcely integrated into CWEs. A general nomenclature or systematic way to describe software weaknesses could be based on chains and composites, Software Fault Patterns, and Semantic Templates. Tool builders could clearly explain to users what their tool catches (and what it doesn't).

Mobility App Security Threats, Sam Malek, PhD, George Mason University

  • What kinds of security threats are posed by mobile apps and app markets? 
  • What tools and techniques currently exist for vetting mobile apps and reducing the security risks?
  • What are the promising areas of future research and development? 

Talking points

  • In trying to understand why software developers are not using software assurance tools, one participated noted, "If the tools are so great, why aren’t more developers using them?”
  • There was a discussion on having a human process implemented as part of automation in software development to help interpret and prioritize security weaknesses identified in software.  For organizations it’s important to understand what defects or weakness classes matters the most.
  • Incorporating safety-type checks into the software assessment process, similar to the way a seatbelt in a car is inspected to ensure it’s working as intended.  
  • Rethinking the way in which software development is being taught, with an increased focus on secure coding.  Figuring out ways to incorporate new advancements and discoveries back into the learning process. 
  • Incentivizing quality and security as part of the software development process.  Can organizations get economic value for developing secure code? 
  • Building culture in organizations to formalize software assurance as part of the software development process.  Finding ways to make secure easy, and insecure the obvious.
  • Is it easier to teach security to developers, than to teach security professionals how to be developers? Many organizations are starting to evaluate the benefits of hiring developers within their security organizations.  

Overall, I thought the initial meeting was successful; it helped confirm the need to keep software security assurance at the center of cyber security conversations. I want to share with you some of my key takeaways:

  • The gaps in software assurance tools are understated; the tools are not as good as perceived. As a result, many software developers don’t have confidence in using software assurance tools. This leads to more security weaknesses in software during maintenance phases. Improving software assurance tools for early adoption is important to increase confidence in using them.
  • There is a growing dependency on open-source software. Consequently, focusing on how to validate, verify, and assess software as part of the software supply chain is critical to determine risks in third-party software. 
  • The idea of incentivizing secure software development activities seems like a realistic outcome, or a practice that many organizations can put in place to help improve the overall quality and security of software. This will help make secure easier, and insecure the obvious (Thanks, Casey Ellis.)
  • If you teach coding, you have to teach and enforce good coding practices. Teaching kids and students how to code is an excellent idea, but teaching them the quality and security aspects of coding is even more important. Many computer scientists believe you must teach how to design a secure system prior to teaching someone how to code.

The next EWG is tentatively scheduled for October. As part of this session, the group would like to get more industry engagement from open-source developers, security researchers, and executives and stakeholders responsible for security within their organizations. If you are interested in participating, please contact me or share your thoughts in the comments.

Kevin Greene is a thought leader in the area of software security assurance. He currently serves on the advisory board for New Jersey Institute of Technology (NJIT) Cybersecurity Research Center, and Bowie State University's Computer Science department. Kevin has been very ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KevGreene_Cyber
50%
50%
KevGreene_Cyber,
User Rank: Author
7/11/2015 | 2:17:41 PM
Re: Will the EWG be publishing a report?
That's a possibilty at some point.  With all the cyber legistlation coming out from a federal perspective, it would be nice to have something that compliments the changing in the cyber landscape.  Stay tuned!!!
eeiland
50%
50%
eeiland,
User Rank: Apprentice
6/8/2015 | 10:13:24 AM
Will the EWG be publishing a report?
This is a useful overview.  Will the EWG be releasing a more detailed report?
KevGreene_Cyber
50%
50%
KevGreene_Cyber,
User Rank: Author
6/4/2015 | 11:55:40 AM
Re: Great to see this effort
@Chenxiwang -- thanks for feedback.  Yes, the software supply chain is becoming a greater challenge, given the fact that open-source is more widely used and software reuse.  We are definitely trying to define an appropriate approach to address 3rd party software.  


THanks again for you support
chenxiwang
100%
0%
chenxiwang,
User Rank: Apprentice
6/3/2015 | 10:06:02 AM
Great to see this effort
A great step to take for the industry. Software security has always been an Achilles heel, and the software supply chain as a whole has not been serious enough to take on this challenge. I hope the working group will produce something concrete and usable. 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20201
PUBLISHED: 2018-12-18
There is a stack-based buffer over-read in the jsfNameFromString function of jsflash.c in Espruino 2V00, leading to a denial of service or possibly unspecified other impact via a crafted js file.
CVE-2018-20194
PUBLISHED: 2018-12-18
There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy l...
CVE-2018-20195
PUBLISHED: 2018-12-18
A NULL pointer dereference was discovered in ic_predict of libfaad/ic_predict.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-20196
PUBLISHED: 2018-12-18
There is a stack-based buffer overflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because the S_M array is mishandled.
CVE-2018-20197
PUBLISHED: 2018-12-18
There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy l...