Security holes force firms to rethink coding processes

Microsoft’s issuance last week of 14 security patches raised fears that worm-based attacks would follow and sparked discussion on how to better build code.

Microsoft‘s issuance last week of 14 security patches raised fears that worm-based attacks would follow and sparked discussion on how to better build code.

Of the holes identified in Windows XP, Windows Server 2003 and older versions, some are so critical that exploiting them could lead to total compromise of machines and files, security experts say. But the way to eliminate such vulnerabilities isn’t via patches, but in creating tools and processes for building more secure code and weeding out problems in the development phase.

It’s a problem that bedevils not only Microsoft but any large company that writes its own applications or source code. Many organizations try to stomp bugs by having the chief software architect and programmers work in a formal process with the security manager’s staff as part of the code-evaluation process, says Steve Orrin, CTO at Sanctum.

Gathering dust

Although companies often make an effort to train developers about problems such as buffer overflows, Orrin says, the corporate policy ideas contained in written secure-coding practices “usually sit on a shelf gathering dust.” The pressure to get product out the door sometimes means the code review isn’t as thorough as it could be.

Michael Howard, Microsoft’s senior program manager in the security business and technologies unit, last week refuted any suggestion that Microsoft ships any product before thorough security-based code evaluation.

“We’ve delayed products such as Windows Server 2003 for nine months because of security issues,” says Howard, whose job is to foster expertise among Microsoft programmers through a continuing education process and what he describes as a “buddy system” that teams security experts with programmers.

But Microsoft only has about a dozen of these security specialists to interact with about 20,000 software engineers. Howard says Microsoft is looking at doing more online training to be able to “scale” the process.

Redmond makes use of homegrown code-review tools, including the desktop-based Prefast for static code review and Prefix that runs on servers. Prefast eventually might be added to Microsoft’s Visual Studio development tool. Microsoft also sometimes turns to outside firms – eEye Digital Security is one – for independent review of products.

In fact, eEye Digital Security months ago uncovered several of the most-critical vulnerabilities that Microsoft identified last week. But eEye COO Firas Raouf says word of the vulnerabilities was kept quiet until a patch could be devised.

EEye Digital Security, which sells vulnerability scanners and will soon announce a host-based intrusion-prevention product, relies on crack-shot bug-hunters and tools developed in-house to pinpoint hard-to-see flaws in software.

Raouf adds that the firm sometimes has contests to see which team of researchers can find security holes and fix them. “At the end of the contest, they might win a trip to Hawaii or a laptop,” he says, adding eEye also will hire outside evaluators, such as Neohapsis, to check eEye products.

Much security review remains manual – and might be more art than science – though automated tools for application and source-code analysis are becoming more available. Freeware tools, such as Splint or the Rough Auditing Tool for Security (“Rats”) maintained by Secure Software, also can be of help.

Getting automated

HB Gary’s BugScan, as well as Parasoft’s Automated Error Prevention software tool, released earlier this year for uncovering security-related mistakes related to SQL and buffer overflows in the C and C++ coding process, are part of the trend toward automated security code reviews. Spi Dynamics and Sanctum each recently began offering their Web security-test tools integrated into Mercury Interactive’s Test Director quality-assurance test tool.

Start-ups in the area are proliferating.

Last month a company named Reasoning began offering a “bug-identification service” for analyzing source code for security flaws. Earlier this month, start-up Fortify Software introduced its Source Code Analyzer Server, a $50,000 per CPU software package that C, C++ and Java developers can use to detect weaknesses in their nightly builds of code.

Fortify also offers a $25,000 tool called Red Team Workbench for Windows and Linux servers that can help security specialists check for exploits aimed at Web applications and XML-based Web services.

Finally, start-up Ounce Labs next month May plans to ship Prexis, a tool designed for use by CIOs and chief security officers to evaluate C or C++ source code that developers produce.

“This is a tool for those with responsibility for understanding where risks are,” says Jack Danahy, president and CEO of Ounce Labs. The company says that Prexis, which starts at $50,000. is said to run at compiler speed to evaluate applications for security risks, presenting the information as “V-Density” reports of vulnerabilities that need to be addressed.

While Microsoft last week had a lot of explaining to do, anyone who thinks its operating systems are worse in terms of vulnerabilities than say, Linux, is going to be surprised by a report that security expert Stuart McClure, president and CTO at security products vendor Foundstone, will publish next month.

In his apples-to-apples study comparing the history of flaws discovered in several versions of Linux to Microsoft software, McClure says, “Linux is worse” with about 10% more flaws uncovered.