O artigo abaixo foi originalmente publicado em inglês no LinkedIn Pulse.
Latest weeks are being intense for Information Security professional. After we recently recovered from Heartbleed vulnerability, we received another problem notification on a vulnerability called Shellshock.
But why with current technology we still have bugs like this?
Nowadays we have softwares that can test software codes for errors and after compiled, it can test whole system. Those solutions use tests based on signatures and known issues.
Online communities like OWASP – Open Web Application Security Project, publishes an annual list of Top 10 Security Vulnerabilities each year. According with the last report, “Injection” (SQL, LDAP, etc.) is the #1 Vulnerability found on softwares. Since when this report is published, “Injection” always had your place on list. That is a known issue, right? So, why developers continue to do this kind of mistake?
Even with the advances in the detection of errors in software systems, the use of such a tool did not follow this trend. Many software manufacturers do not have a process to test their code and systems with this solution.
But a software security evaluator is not enough. Developers should have a process to ensure security during the software development lifecycle. There are some steps to do during the software planning, development and after code is done. Leave security to the end of this lifecycle; just raise the cost of solving issue.
And after all those investments on security, adding process to development lifecycle, using tools to analyze code and systems. It is obvious the cost of development will increase. This could be the main reason for what softwares bugs still happening.
US-CERT, part of US Department of Homeland Security, sponsors an annual list of vulnerabilities. It is knowledge as CVE – Common Vulnerabilities and Exposures. Every time that a person finds a bug, it may notify CVE and a record is generated. Everybody can query this list and known about that vulnerability. It help Security Industry to keep informed about bugs and request fix for it.
According CVEDetails.com website, the number of vulnerabilities found is like the graph below:
Many of readers may say that some other industries does not have a high number of errors, but again, it is like the price and cost that this will represent.
Important software, like that capable to control machines where a failure may result in life loss, has some high control. It is everything based on cost to produce with security vs. damage cost. Car industry does not implement seat belt only thinking on your safety.
In my opinion, there is some processes that adopted could increase security on software, and on the same way do not raise cost too much. We need to spread security concerns and coach our developers to code in a secure way. Each day, new developers arrive on market and with evolution of programming language, some developers has not deep knowledge to code. It could be hard, ask him to know security too.
The role of tester or quality assurance analyst also is renegade. I knew many companies that perform some small tests and leave end user find bugs. It can be too late for that. Now, cyber criminals are watching this and having fun. There are a big market of exploits for vulnerabilities not disclosed, used for Advanced Persistent Treats attacks.
Bug’s and Vulnerabilities are far to end or decrease. The forecast is to increase, in fact. So, if you produce software, know your statistics. Take a time to study and implement techniques to improve security on your software. If you are only an user of software, stay alert. Sign some notification list, watch your environment and being notified about a vulnerability, fix it as soon as possible. Your company and Internet thanks for this.
Escrito em Setembro/2014.
Publicado originalmente em LinkedIn Pulse