The Rise of Software Security 79
Posted
by
Unknown Lamer
from the insecurity-through-obscurity dept.
from the insecurity-through-obscurity dept.
Gunkerty Jeb writes with an article in Threatpost. From the article: "Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security. At the start of the 2000s, software security was a small, arcane field that often was confused with security software. But several things happened in the early part of the decade that set in motion a major shift in the way people built software ... To get some perspective on how far things have come, Threatpost spoke with Gary McGraw of Cigital about the evolution of software security since 2001."
Re:re C and C++ were disasters (Score:4, Informative)
C and C++ ARE disasters. gets() and >> can NOT be used safely. Period. Tons of functions in the standard libraries have been rewritten with secure variants, to try to make it vaguely possible for developers to keep track of buffer lengths. Still, some APIs screw it up and it's nearly impossible for an intelligent human to get it right every time without static analysis tools to back him up.
HTTP is not a disaster but it clearly was not envisioned with security in mind. All attacker provided data is strings, input data comes from a variety of sources; there are way more HTTP verbs than strictly necessary. The authentication provided with the spec is "encrypted" with Base64. Actually, if this protocol were designed today to its original form, it would be laughed out of its security architecture review.
Re:Mod parent up. (Score:5, Informative)
You can write secure code in almost any language.
Perhaps you want to believe that claim.
And yet, the ongoing real world persistence of privately reported array out-of-bounds errors [microsoft.com] in critical security-dependent code continues to show that apparently, even the best programmers objectively can't write secure code even if their professional reputations depended on it.
At least, they may be occasionally capable of writing secure code, but they're not capable of never writing any insecure code, or even testing for the existence of insecure code in the code they have released. Third parties have that priviledge. We don't know how many of the third parties who find these bugs are black hats, because we only hear from the white hats. But a 50/50 split between white and black security researchers seems like a good wild-ass guess. So figure one zero-day for every reported monthly security bug. Are you scared yet? You should be.
Is this ongoing security massacre the fault of the language programmers are using? Absolutely yes. The point of security is that 99% correct isn't good enough when that 1% of errors your toolchain didn't automatically detect can get your entire customer base simultaneously rooted. And array out-of-bounds errors have been a solved problem in some languages since 1970 [wikipedia.org].
In 2011, insisting on using a language, or any other tool, which doesn't solve a forty-one year old already solved problem is simply an error.