Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/23/2012
05:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Project Finds, Purges Vulnerable Code Snippets From The Net

Community effort hopes to clean up insecure code found in the public domain

There's insecure software, and then there's insecure code samples available online in open source, Web forums, developer manuals, and even university materials. A brand-new project quietly launched last week aims to eradicate this source of bad code, which feeds into the cycle of insecure software development.

The Eliminate Vulnerable Code Project (eVc), the creation of Seattle-based security vendor Digital Security (DigitSec), is a community-driven effort where participants root out insecure code samples found online, and specifics of the vulnerabilities are available only to members of the project. Among the organizations in discussion with eVc for possible collaboration is the Open Web Application Security Project (OWASP).

"Our hope is to eliminate examples or citations of vulnerable code," says Waqas Nazir, chairman and CEO at DigitSec. "If someone uses vulnerable code from a Web forum, a document, or an open-source project, they have most likely put themselves up to [being at risk] of an attack or exploit."

His own company, which among other things conducts penetration testing, sees this problem firsthand. "As a company, we've been able to break into a lot of systems using open-source projects, which are known to have certain vulnerabilities," he says.

Nazir says the eVc project stops short of fixing the code."Our end goal is not to make any project or website look bad. Our goal is to create a safer software development environment," he says. "We see a lot of bad examples of source code on Web properties and even in books used to train developers.

"We will provide a digest of reports to the site/owners alerting them of the issues contributed by the community. There will be no direct reference to an existing product where the code is actually in use, so there is no concern of making this available [publicly]."

The Project will employ "crawler" tools to detect flawed lines of code, as well as use other forums and submissions from contributors. "We hope to basically collect everything that gets reported and make it available," he says.

EVc is currently in discussion with several potential sponsors and will also rely on members from websites, universities, and open-source projects who will work with the site to get the vulnerable code removed or fixed.

Insecure code is posted to forums and other sites every day, and it's a massive problem that's difficult to solve, security experts say.

"Introducing software vulnerabilities via code reuse is an age-old problem. Every day, insecure code is posted to forums like Stack Overflow, and unsuspecting developers copy and paste it into their projects without fully understanding how it works or what coding flaws may be present," says Chris Eng, vice president of research at Veracode.

Eng says attempting to wipe out bad sample code is a "worthwhile goal," but the problem is so huge that an approach like EvC ultimately isn't scalable enough to handle it. "Even if we set aside open source projects, books, and other sources, the amount of code being posted to Web forums alone is tremendous, and it’s increasing at a rate that far outpaces the bandwidth of qualified application security experts," Eng says.

Prutha Parikh, a security researcher with Qualys, says the eVc Project appears to be in the same vein as a risk she recently discovered, where scripts or software comes bundled with production-grade software, leaving customers at risk.

[ Security researchers have reported spikes in mass SQL injection attacks of late that take advantage of very common vulnerabilities in the way that Web applications interact with back-end databases. See Mass SQL Injections Spike Again. ]

"EVc focuses on buggy software that comes from books, training material, and unmaintained software, and it finds its way in production software. My blog on 'Risks of Vulnerabilities in Example Scripts Bundled with Software' is in a similar spirit, but focuses on example scripts or software that comes bundled with production-grade software instead," she says.

She recommends that vendors remove these supporting files and scripts when they ship their software. These not-ready-for-prime-time scripts can include programming examples, help files, and other scripts for installation and configuration. "The actual software may be security-hardened, but many times these supporting files contain vulnerabilities," Parikh wrote in her blog post.

The eVc Project, meanwhile, has more than a handful of contributors as of this posting and already has logged around 15 vulnerable code samples, such as SQL injection, cross-site scripting, cross-site request forgery, buffer overflow, format-string, and clear-text encryption key vulnerabilities.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.
CVE-2019-17610
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter.
CVE-2019-17611
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter.