Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/10/2008
02:32 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

RSA: The Case For Code Testing

Automated security tools are the best way to reduce application-layer vulnerabilities, said cybersecurity veteran Howard Schmidt.

Holding court at the RSA Conference in San Francisco, cybersecurity veteran Howard Schmidt summed up the major security problem today: "The business applications you need to run your business are the applications that make you more vulnerable."

That's a problem worth considering, now that cybercriminals are focusing on application-layer vulnerabilities. It turns out that since Microsoft made security a priority six years ago, a move echoed by other vendors, operating system and network-layer vulnerabilities have become harder to find. There are still holes, to be sure, but they're so much more plentiful in the application layer these days, particularly in Web 2.0 apps.

Errors that can be exploited can appear in any kind of code, but Web 2.0 applications, which more and more companies are coming to depend upon, may be particularly vulnerable if not coded with security in mind. Many Web applications make use of JavaScript, for example, which really wasn't designed with security foremost.

A recently released report, "Why application security is crucial," from U.K.-based research firm Quocirca, explains: "One of the key security problems with using JavaScript is that it can be manipulated by attackers in order to gain access to the information being transported."

Another problem, the report says, is that Web 2.0, or Ajax, applications tend to rely on a large number of modules and higher-level interaction than traditional programming languages, which adds complexity and increases the possibility of programming errors. "The large number of small modules also makes Ajax more vulnerable to attack as it increases the overall attack surface, with each request for information and response representing a potential attack vector," the report says.

The research firm conducted a study in December of 250 senior IT executives in Germany, the United Kingdom, and the United States. It found that among respondents developing Web 2.0 applications, "a significant number are reporting that they are encountering vulnerabilities that are specific to new programming languages and this can actually increase the overall number of vulnerabilities to which the organization is exposed."

Schmidt, president and CEO of R&H Security Consulting and a former cybersecurity adviser at the White House, eBay, the FBI, and Microsoft, likes to tell an anecdote to illustrate what he believes needs to happen. He points out that he can buy a sports jacket with a tag that says, "Inspected by No. 16," but he can't get code with a similar certification.

As it happens, Schmidt serves on the board of Fortify, a software company that sells tools for finding software vulnerabilities in computer source code. Partisan though he may be, he makes a good case for why automated code testing helps keep organizations secure. It's an argument the government appears to have bought: Schmidt pointed out that federal agencies are starting to demand code analysis. "I wouldn't be surprised to see independent labs in the future validating code," he said.

The Quocirca study, commissioned by Fortify, indicates that using automated security tools when developing software lowers the overall cost of IT security. "Over 10% of U.K. respondents spend more than 15% of their IT budget on security -- but are the least likely to use automated tools for application security," the report says. "Conversely, 96% of German organizations spend less than 10% of their IT budgets on security and make the most use of automated tools for building security into applications during the early stages of the software development life cycle."

Asked to characterize the overall state of cybersecurity, Schmidt is surprisingly optimistic. "We know now what to do and how to do it," he said. "We just have to get it done."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
CVE-2021-34067
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
CVE-2021-34068
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.