Source code bugs have been a constant in the software industry since the dawn of computers — and have ever been a major source of attacks, exploits and security incidents. Presently, with virtually every aspect of our lives and daily business becoming connected and dependent on software in one way or another, the potential destructiveness of software bugs has become orders of magnitude more dramatic than it used to be, say, 20 years ago.
Juniper, Fortinet, AMX, Socat, Linux Mint and VTech are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of users at risk.
This reality reflects the fact that source code security technologies and practices have unfortunately not kept pace with the progress of technology, and it warrants the need to change the perspective and perception of source code security, which should be to discover and root out serious vulnerabilities and flaws before software is released.
Web applications and networking software are especially sensitive to source code vulnerabilities, because they both can be exploited remotely and potentially provide attackers with a beachhead to move laterally across a network and conduct other, more dangerous attacks. Web applications are especially critical as they are easier to breach and continue to be an attractive target for hackers.
The mid-November hack of websites belonging to giant toy maker VTech, which resulted in the theft of personal information belonging to more than 5 million users, was carried out by exploiting a SQL injection (SQLi) vulnerability in the site’s source code. SQLi is one of the most trivial and yet dangerous types of attacks that can be carried out against web servers.
A more recent web application hack was that of the official Linux Mint distribution website, which hackers silently compromised in February in order to upload and distribute a backdoored version of the OS. By the time the breach was discovered and patched, thousands of infected copies of Linux had been downloaded by unfortunate users.
Last December, networking giant Juniper revealed it had discovered two mysterious backdoors in the software running on its firewalls, which could effectively be exploited to decrypt protected data passing through its firewalls. The amount of damage dealt could not be assessed because the vulnerability had been running for months. But given the fact that the tech firm is a main provider to the likes of AT&T, Verizon, NATO and the U.S. government, one can expect the numbers to be soaring in the millions.
Another relevant case that surfaced on the heels of Juniper’s backdoor was that of its competitor Fortinet, which was found to have embedded a hardcoded password in its FortiOS software that gave SSH access to servers running it. SSH is the interface used to remotely administer servers.
Audio-visual conferencing gear provider AMX also made the headlines earlier this year, after Austrian research firm SEC Consult reported the discovery of “deliberate backdoor” embedded in its NX-1200 controller product, which the firm claimed was a maintenance feature but could be used to gain remote administrative access to the product. AMX products are widely used by the U.S. government and military.
In all cases, the discovered vulnerabilities were simple and straightforward bugs that could’ve easily been identified and rooted out before it became damaging. Yet inadequate practices and insufficient tools have contributed to the exploits slipping by the developers.
Traditional methods are usually dependent on security audit professionals who are hired to peruse application code and test it in action in order to discover vulnerabilities and make recommendations for mitigating threats. Likewise, the tools used in these processes are disparate and tailored for security auditors and not developers. These types of procedures and tools are only applicable to large software development firms and would eliminate smaller companies that do engage in coding, but on a smaller scale.
This model has many flaws and limitations, including the requirement that application development be either complete or well underway before it can be tested, which makes the safeguarding process a reactive one, at best. Also, depending on periodical or one-time security audits will only put the application to test at specific points in time and will fail to provide source code security throughout the entire life cycle of the application.
This approach also has drawbacks from an economic standpoint, because correcting application bugs in the production phase instead of development can prove to be both time-consuming and expensive. And when in a rush to meet release deadlines, developers and publishers are wont to cut back on the more thorough testing that comes at the end of the development process.
A successful approach to source code security would be one that is holistic and easy to use, which could be integrated into the processes of all firms and labs that are involved in software development, regardless of the limits of their resources and budget. New code security tools should enable developers to identify and root out security holes as they’re coding, not after they’re finished.
“bugScout is an SAST [static application security testing] tool developed by our team of security audit experts,” explains Pablo de la Riva Ferrezuelo, CTO and founder of Buguroo, “but it has been created to be adjusted to users across the spectrum. So it can be used by coders with little security knowledge or security auditors with little coding knowledge, or anyone who falls in-between.”
Basically, bugScout is a service that blends in with your development environment and constantly analyzes your application’s source code as you develop it, using different methods and information gathered from different standards.
Ferrezuelo believes that bugScout will address challenges caused by previous SASTs, “which generate a lot of false positives and require the assistance of many experienced security auditors,” he explains. “It will also lower development costs,” he adds, “by starting the flaw identification process early in the development life cycle instead of waiting for the application to be feature complete before putting it to test.”
bugScout’s sibling, bugBlast, is a next-generation appsec management platform that unifies many types of vulnerability testing tools with real-time intelligence to test the application, its hosting infrastructure and its third-party service providers against known threats and malicious behavior patterns at runtime during development and after it goes into production.
Both tools are available as cloud-based services and standalone installations.
As Kevin Kelly, CEO of LGS Innovations explains, “CodeGuardian fills the void left by current security solutions, which, taken individually, aren’t complete and comprehensive and require expertise to be used effectively.”
CodeGuardian is a technical solution embedded into existing products to enhance security defensiveness; it hardens network devices by removing known vulnerabilities and inoculating the software source code and binary executable to enhance overall network security.
The solution uses proprietary technology and processes to identify and eliminate vulnerabilities and backdoors in a network component’s source code. It also uses diversification techniques to generate and distribute various binary images of the same software to further reduce the possibility of uniformly applied cyberattacks against a product line.
CodeGuardian is already being used by Alcatel-Lucent Enterprise to secure software solutions within their OmniSwitch family of networking equipment.