Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

11/8/2018
10:30 AM
Oege de Moor
Oege de Moor
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Things the Most Secure Software Companies Do (and How You Can Be Like Them)

What sets apart the largest and most innovative software engineering organizations? These five approaches are a good way to start, and they won't break the bank.

Technology powerhouses such as Google, Microsoft, and Apple know how to get security right. They invest in the best technology, processes, and people to ensure that their engineering teams create secure software.

They're open about their methods for product security engineering. For example, Michal Zalewski, previously head of product security at Google and now VP of security at Snap, has a fascinating blog post with thoughts on how to manage a product security team. The Microsoft Security Response Center has a blog where team members regularly share ideas on how to improve security.

What sets apart the largest and most innovative software engineering organizations? Here are five approaches for changing your security practices and improving your security mindset and posture. These don't require investments akin to those made by technology giants.

Safer APIs to Prevent Vulnerabilities
Prevention is better than a cure, and ideally you make certain common mistakes impossible. For instance, common cross-site scripting vulnerabilities can be avoided by judicious use of automatic context-aware escaping. Similarly, the notorious problem of SQL injection can be avoided if you give up the ability to run arbitrary string data as queries on a database; instead, you should use a restricted API that builds up the queries in a structured manner — for instance, as prepared statements.

Catch Vulnerabilities at Time Zero
Mistakes will happen, even with perfectly designed, safe APIs. It's important, therefore, to continuously run analyses that catch mistakes that slipped through. The perfect point to do that is at code review time: close enough to time zero so that the developer's focus is still with the relevant code change, and yet with a time budget to run deep analysis. This article by the Google code analysis team explains the prerequisites for success. As the team points out, it's critical that the creation of new analyses can be crowdsourced, with everyone chipping in to define what good, secure coding standards are, and updating the analyses when new classes of vulnerabilities are identified.

Red Teams and Pen Testers to Identify New Blind Spots
To identify your blind spots, use internal red teams to do penetration testing or hire an outside company to attack your systems. It's an investment, but it can catch problems that are hard to detect mechanically. Bug bounty programs, such as those administered by BugCrowd and HackerOne, can be effective to find your blind spots. However, it's a waste of money if you don't implement the cheaper, automated means to first fill the more obvious holes. In fact, advances in artificial intelligence make it possible to apply some of the fuzzing techniques that professional pen testers employ, but automatically — the Microsoft Security Risk Detection service is an example. When pen testers or automated fuzzers find new blind spots, eliminate them by creating new code analyses, as described in the previous paragraph.

Make It Very Hard to Exploit Vulnerabilities
You're not going to stop all vulnerabilities entering the source code, so you must be prepared for the worst, making sure that even while vulnerabilities are there, they're extremely hard to exploit. One area under heavy development is that of moving target defense: randomizing heap layout (or code layout) so that attackers have a hard time figuring out how to exploit weaknesses in the code. Address space layout randomization, known as ASLR, is used as additional protection in Windows and Android, for example.

Organizational Structure: The Product Security Team
So far, we've looked at technical remedies, but organizational structure is important too, as argued in the blog post by Michal Zalewski mentioned earlier. A common theme at the best software companies is that there is no strict separation between security and engineering: The two are working together, always looking for opportunities to automate security expertise and integrate it into the developer workflow. For example, in the recent news that Facebook's security chief Alex Stamos resigned, The New York Times quoted an internal memo stating that the security team would no longer operate as a stand-alone entity but instead work more closely with product and engineering teams.

This trend has a name: the product security team. Typically, this team lives in the engineering organization, with a dotted line to the CISO, if that function exists. The CISO looks after IT security much more generally, while the product security team takes responsibility just for the products being developed internally.

The consequences of not moving product security into engineering can be very bad: Security teams simply report on problems and the dev team is pushed to deliver on new features instead of security and ignores the reports by the security team. Security teams are given incentive to report as many problems as possible (covering their butts in case of a breach), yet developers don't have time to look at all these reports because many of them are not real bugs but false positives. This separation is the old way, and it has been discredited.

True product security can only be achieved when all developers take responsibility for the security of the code that they write. The product security team's job is to give developers the knowledge and tools to do just that.

There is no standard playbook for how these important tech companies handle security, but they are sharing their tried-and-true methods with the community — something every company successful at security should do. As an industry, we need to think of security as an ecosystem, and sharing best practices is the best way to individually and collectively improve.

What sets apart the largest and most innovative software engineering organizations? These five approaches are a good way to start, and they won't break the bank.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Oege de Moor is the CEO and Co-Founder of Semmle. Prior to founding Semmle, he spent 21 years as a Professor of Computer Science at Oxford. During a sabbatical from Oxford, he joined Microsoft as a Visiting Researcher, working with Charles Simonyi (the original creator of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cheeseman
50%
50%
Cheeseman,
User Rank: Apprentice
11/12/2018 | 9:49:14 AM
Home run article
You in effect nail it by highlighting companies that are the most successful at securing their code. Instead of layering on controls and legislation companies can reduce vulnerability exposure by doing a great job in the development process. Thank you !
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...