The Challenge
It is very evident that cyber security threats are facing everyone. We also face challenges because we have limited resources, budget, and skill sets. Yet we must do our best to mitigate the additional attack surfaces that software in applications also brings in to the picture. For those of us that produce software we bear responsibility to make sure our architecture, design and code are as secure as possible so that we do not introduce additional risk into a user or customer environment.
Vulnerabilities Enable Attacks
- Vulnerabilities are not created, when a system is being attacked; they enable attacks.
- Vulnerabilities are implementation errors that are introduced into the code, when the programmer makes a mistake. They become vulnerabilities, once the software is released exposing the software for attacks.
- Security researchers, security companies and hackers discover some of the vulnerabilities, and if they choose to report the findings, they can enable software developers to create patches for the found vulnerabilities.
- However, other vulnerabilities still exist in the code waiting to be exposed. These unknown vulnerabilities are called zero-day vulnerabilities. Software vendors are unaware of their existence, thus there are no ready patches for them.
- Once a zero-day vulnerability is triggered, the developers race against the clock to get it fixed, before irrevocable damage is done to the company’s sales or reputation.
All Vulnerabilities are Exploitable
- Attackers need to find vulnerabilities in a device or a system in order to devise an attack against it. Basically, any crash-level bug can be exploited to attack a system or an application.
- Attackers send unexpected inputs to a system, and if they can get an abnormal response from the system, they continue to refine their inputs until they get the system to behave the way they want.
- Sometimes bugs can be exposed by simple individual inputs, and sometimes attackers have to communicate with longer message sequences with the system, in order to gain access to the deeper protocol layers.
- In some cases, vulnerabilities can even be triggered by events like heavier than normal use or maintenance.
- Therefore, the best way to ensure the security of your systems is to build security into it by finding and fixing these critical bugs before they become security vulnerabilities. The goal of both Penetration Testing and static code analysis is to produce better quality software by finding vulnerabilities in the code before deployment.
Software Security Tests
Software Security Tests are performed at different phases of the Software Development Lifecycle. The typical progression is as follows:
The Advantages Are Not Always Balanced
I mention before that we face many challenges as software developers. It may appear that we are always at a disadvantage but we also have some advantages on our side.
Shifting The Balance
We need to be creative in taking the advantages we have as developers and testers and integrating them in way that shifts the balance in our direction.
How Can We Shift the Advantage?
One way we can shift things our way is to employ focused penetration testing:
Testing For Unknowns Can Be Challenging
It easy to say that we need to test for Zero Day vulnerabilities, but these are typically unknown issues. How can we test for them? How you approach your testing is important. You must test the below:
Intelligent Fuzzing Can Help
There are two main types of fuzzing Intelligent (or Smart) and Dumb fuzzing.
Depending on your environment, you can use both types in the code (Smart and Dumb Fuzzing). Smart is selected for parts where we need more strategy and match specific criteria. Dumb is for the simplest tests, where we just need to randomize without any criteria. The criteria for Intelligent fuzzing can also include criteria for testing design and architecture. This is the approach that I am most familiar with and it has helped me find vulnerabilities that I had not previous considered looking to find. The complete spectrum is to define criteria that takes advantage of all the things you know about your product and then look for the edge or corner cases.
