Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/6/2021
01:00 PM
Jeff Williams
Jeff Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

It's High Time for a Security Scoring System for Applications and Open Source Libraries

A benchmarking system would help buyers choose more secure software products and, more importantly, light a fire underneath software producers to make products secure.

Prompted in part by devastating attacks such as those on SolarWinds Orion, Microsoft Exchange, and Colonial Pipeline, the White House issued an executive order on cybersecurity in May. Application security is a prominent part of the document, with special emphasis on software supply chain security for all applications used by the federal government.

Related Content:

4 Habits of Highly Effective Security Operators

Special Report: Building the SOC of the Future

New From The Edge: rMTD: A Deception Method That Throws Attackers Off Their Game

The administration's emphasis on software supply chains is welcome considering the current threat environment. SolarWinds customers, for example, had no control over the integrity of that company's software and no way of knowing there would be a problem with a particular software update. SolarWinds Orion was simply off-the-shelf software they had purchased. In fact, affected SolarWinds customers were doing the right thing by installing updates quickly.

A Possible Software Security Scoring System
Although the regulations needed to implement the executive order have not yet been issued, one possible way of benchmarking compliance would be a rating system for software security. The Cyberspace Solarium Commission (CSC), which was formed in 2019 to develop a consensus on a strategic approach to defending the United States against cyberattacks, recommended in its 2020 report a voluntary system — similar to the Energy Star ratings on US appliances and Singapore's rating system for Internet of Things (IoT) devices. Others are pushing to make it mandatory.

Some observers have advocated for a scoring system for software for more than a decade. A public software security label with an easy-to-understand, easy-to-calculate overall score and supporting details is the key. Some consumers will use the label to choose more secure software products, but more importantly, such a labeling scheme will motivate software companies to improve their public scores by investing in robust application security for their products.

What Should a Scoring System Look Like?
While a software scoring system could take different forms, one requisite aspect is the need to take the entire software supply chain into account. Software providers need to know the security ratings of their applications' component parts — the open source libraries that are so ubiquitous in software these days. This is because upwards of 90% of applications contain code from third-party libraries. Once a piece of off-the-shelf software is taken to market, the users of that software need a single, overall security score that accounts for the component parts.

It is infeasible to come up with a perfect instrument to measure every aspect of security for every type of software possible. But it is possible to create a framework that (1) empowers software buyers to make more informed decisions, and (2) encourages producers to build better software with more security visibility.

Below is a conceptual model to help imagine how such a scoring system might work. Software is simply evaluated against six key security areas and assigned a grade. As you can see, things are haphazard or nonexistent at the bottom, while those at the top are continuous, automated, standardized, and comprehensive.

(Source: Contrast Security)
(Source: Contrast Security)

Based on an application's score in each of these categories, an overall letter grade could be assigned that would be visible on product webpages, marketing materials, and physical packaging. Based on this easy-to-understand letter grade, organizations and consumers choosing between two different software solutions could take security into account when they make their decision.

Every software user should be able to see letter grades (A, B, C, D, F) for their applications and open source libraries in real time, along with notifications when those scores change. The same system should provide actionable information to developers on the best way to improve an application's overall score. This would provide a unified platform of tools that ensures security across the entire software development life cycle — during build, test, and run.

Software Scoring: Enabling Informed Decision-Making
A software scoring system would improve national security by enabling organizations, such as the federal agencies recently victimized by the SolarWinds attack, to make informed decisions. It will also light a fire underneath software producers to take the needed steps to make their products secure.

 

Jeff brings more than 20 years of security leadership experience as Co-Founder and Chief Technology Officer of Contrast. Previously, Jeff was Co-Founder and Chief Executive Officer of Aspect Security, a successful and innovative application security consulting company ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-0652
PUBLISHED: 2021-10-22
In VectorDrawable::VectorDrawable of VectorDrawable.java, there is a possible way to introduce a memory corruption due to sharing of not thread-safe objects. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitati...
CVE-2021-0702
PUBLISHED: 2021-10-22
In RevertActiveSessions of apexd.cpp, there is a possible way to share the wrong file due to an unintentional MediaStore downgrade. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: An...
CVE-2021-0703
PUBLISHED: 2021-10-22
In SecondStageMain of init.cpp, there is a possible use after free due to incorrect shared_ptr usage. This could lead to local escalation of privilege if the attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation.Pr...
CVE-2021-0705
PUBLISHED: 2021-10-22
In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User intera...
CVE-2021-0706
PUBLISHED: 2021-10-22
In startListening of PluginManagerImpl.java, there is a possible way to disable arbitrary app components due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersi...