Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:02 PM
Connect Directly

Project Finds, Purges Vulnerable Code Snippets From The Net

Community effort hopes to clean up insecure code found in the public domain

There's insecure software, and then there's insecure code samples available online in open source, Web forums, developer manuals, and even university materials. A brand-new project quietly launched last week aims to eradicate this source of bad code, which feeds into the cycle of insecure software development.

The Eliminate Vulnerable Code Project (eVc), the creation of Seattle-based security vendor Digital Security (DigitSec), is a community-driven effort where participants root out insecure code samples found online, and specifics of the vulnerabilities are available only to members of the project. Among the organizations in discussion with eVc for possible collaboration is the Open Web Application Security Project (OWASP).

"Our hope is to eliminate examples or citations of vulnerable code," says Waqas Nazir, chairman and CEO at DigitSec. "If someone uses vulnerable code from a Web forum, a document, or an open-source project, they have most likely put themselves up to [being at risk] of an attack or exploit."

His own company, which among other things conducts penetration testing, sees this problem firsthand. "As a company, we've been able to break into a lot of systems using open-source projects, which are known to have certain vulnerabilities," he says.

Nazir says the eVc project stops short of fixing the code."Our end goal is not to make any project or website look bad. Our goal is to create a safer software development environment," he says. "We see a lot of bad examples of source code on Web properties and even in books used to train developers.

"We will provide a digest of reports to the site/owners alerting them of the issues contributed by the community. There will be no direct reference to an existing product where the code is actually in use, so there is no concern of making this available [publicly]."

The Project will employ "crawler" tools to detect flawed lines of code, as well as use other forums and submissions from contributors. "We hope to basically collect everything that gets reported and make it available," he says.

EVc is currently in discussion with several potential sponsors and will also rely on members from websites, universities, and open-source projects who will work with the site to get the vulnerable code removed or fixed.

Insecure code is posted to forums and other sites every day, and it's a massive problem that's difficult to solve, security experts say.

"Introducing software vulnerabilities via code reuse is an age-old problem. Every day, insecure code is posted to forums like Stack Overflow, and unsuspecting developers copy and paste it into their projects without fully understanding how it works or what coding flaws may be present," says Chris Eng, vice president of research at Veracode.

Eng says attempting to wipe out bad sample code is a "worthwhile goal," but the problem is so huge that an approach like EvC ultimately isn't scalable enough to handle it. "Even if we set aside open source projects, books, and other sources, the amount of code being posted to Web forums alone is tremendous, and it’s increasing at a rate that far outpaces the bandwidth of qualified application security experts," Eng says.

Prutha Parikh, a security researcher with Qualys, says the eVc Project appears to be in the same vein as a risk she recently discovered, where scripts or software comes bundled with production-grade software, leaving customers at risk.

[ Security researchers have reported spikes in mass SQL injection attacks of late that take advantage of very common vulnerabilities in the way that Web applications interact with back-end databases. See Mass SQL Injections Spike Again. ]

"EVc focuses on buggy software that comes from books, training material, and unmaintained software, and it finds its way in production software. My blog on 'Risks of Vulnerabilities in Example Scripts Bundled with Software' is in a similar spirit, but focuses on example scripts or software that comes bundled with production-grade software instead," she says.

She recommends that vendors remove these supporting files and scripts when they ship their software. These not-ready-for-prime-time scripts can include programming examples, help files, and other scripts for installation and configuration. "The actual software may be security-hardened, but many times these supporting files contain vulnerabilities," Parikh wrote in her blog post.

The eVc Project, meanwhile, has more than a handful of contributors as of this posting and already has logged around 15 vulnerable code samples, such as SQL injection, cross-site scripting, cross-site request forgery, buffer overflow, format-string, and clear-text encryption key vulnerabilities.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...