More and more organizations are realizing that software security needs to be moved closer to the beginning of the development timeline. They’re starting to recognize that waiting until a product is close to market to assess its security posture just doesn’t cut it anymore. That means that developers need to take on more responsibility for security at the earlier stages of a project’s development. How early? According to a recent report from Veracode, developers should be making security choices before they write a line of code.
“When organizations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to test for them,” Chris Wysopal, CTO, CISO and co-founder of Veracode, wrote in the company’s State of Software Security: Focus on Application Development report.
In the report, Veracode draws on eight years of experience and analysis of more than 1.5 trillion lines of code to identify varying risks found in applications according to the language they use and the methods used to construct them. “If you’re starting a new development project where you’re selecting a language and platform, you might want to take security into consideration,” Wysopal said in an interview.
“I don’t think a lot of developers are going to do that, though, so the next best thing is to be able to predict that if you’re using a particular language or platform, you’re going to have certain kinds of vulnerabilities that will arise from the development process, and you should put testing in place to look for those issues,” he added.
Rewrite the security script
One finding is that scripting languages are more vulnerable to SQL injection and cross-site scripting attacks than applications written in .NET or Java. For example, 64 percent of applications written in Microsoft Classic ASP were found to have a SQL injection vulnerability when initially scrutinized by Veracode. Similar vulnerability rates were found for ColdFusion (62 percent) and PHP (56 percent). By contrast, a SQL injection vulnerability was found in only 29 percent of .NET apps and 21 percent of Java apps.
“This is of concern given the large numbers of web applications written atop PHP-based content management systems such as WordPress and Drupal,” the report noted.
Programming languages have an advantage over scripting languages when it comes to security, noted Anita D’Amico, CEO of Code Dx, a maker of a software tool that consolidates and normalizes software vulnerabilities detected by multiple code analysis tools. “Programming languages like Java and .NET have built-in protections against things like SQL injection cross-site scripting,” she explained.
That’s not the only reason scripting languages are less secure than programming languages. “Scripting languages are interpreted and not compiled, and so they are often easy to read and easy for hackers to figure out how to mess with the code,” said Al Hilwa, program director for software development research at IDC.
Scripting languages also require developers to “do more” to secure the input handling of their apps. “Languages and functions that require more work on the part of a developer are always a bad idea,” said Gary McGraw, CTO of Cigital, a software security consulting firm.
Mobile security demands better cryptography
Veracode also reported that mobile applications had a high rate of cryptographic issues. Those issues occurred in 87 percent of Android apps and 80 percent of iOS apps. “This suggests that while mobile app developers may be aware of the need for cryptography to protect sensitive data and thus use it in their applications, few of them know how to implement it correctly,” the report noted.
Mobile apps present developers with more security problems than other kinds of apps. “Mobile devices have additional security issues because they are hyper-connected,” Hilwa said. “They are always on and physically roam in many unsecure neighborhoods. This means that data that must be kept secure is always floating in memory, necessitating the use of good encryption to protect it. This means that developers have to take on bigger burdens in mobile app development.”
It also means they have to write more code with cryptography. “Crypto is more problematic on mobile because developers have to write more crypto code, and they’re not that well educated on how to do that correctly,” Wysopal said.
Not only are there many mobile developers undereducated about cryptography, but there are also many more of them that are single-developer operations. “The development process in a single-man shop is very different from development of applications in large corporations, where there are steps taken to ensure that software is secure,” noted Slawek Ligier, vice president of engineering for Barracuda Networks, a network security company.
Hit the books, devs
Education and training have a significant impact on the ability of developers to craft secure apps, according to the report. Organizations that invest in e-learning for developers have fix rates 30 percent higher than those that do not make such investments. The report cautioned, however, that the numbers may be influenced by other factors. “[T]his may be correlative rather than causative, since eLearning use is associated with other success strategies such as use of centralized policies, remediation coaching and other aspects of a systematic program,” it noted.
Security education and training are essential to reduce the risk to software makers after they release an app. “Security is simply the biggest exposure we have today in building apps because it can fire up unpredictably,” Hilwa said. “Other app quality or performance failures are easy to assess and generally prevent apps from being broadly deployed. Security lurks as an explosive issue that will haunt an app or a company after it has become widely deployed.”
The Veracode report also noted that assessment methods can make a difference in fixing security flaws. For example, vulnerabilities discovered through static analysis have a 28 percent higher fix rate than those found through dynamic analysis. “While no single assessment technology is sufficient to secure an application, understanding the tools’ strengths and weaknesses as it comes to fixing — not just finding — software vulnerabilities is important,” the report noted.
Language of malware
Language variations also affected an app’s pass rate against common security policies, such as the Open Web Application Security Project’s (OWASP) top 10 web application security risks, the report noted. Part of those differences could be attributed to different vulnerability distributions. Nevertheless, the report pointed out that development teams should be aware of the statistical risks for applications written in a particular language when considering the threat model for an application.
Because of how software development is changing, security is in a position to benefit from those changes. “As organizations simultaneously contemplate the shift to continuous delivery and other DevOps innovations, and as they begin to feel the pressure to break their applications apart into smaller, more sustainable units,” Wysopal wrote in the report, “they face what could be an ideal moment to help their development teams make decisions to help improve the security of their enterprises.”