Application Vulnerability Control

Software code defects

The IT industry is the fastest growing industry in the history of mankind, advancing radio, television and telephony. The dynamism of changes leads to the fact that the modern education system simply does not have time to prepare qualified IT personnel - programmers, architects, analysts. Requirements for the competence of such specialists grow faster than they have time to learn. Hence - the constant personnel shortage in this market, as a result, often the results of the work of IT teams are defective. Today, no one is surprised that even the most famous manufacturers of software products are often imperfect. We take it for granted and work with the software that developers give us. In turn, they, like other IT professionals, make every effort to reduce the number of drawbacks.

The task of a high-class manager is to be able not only to select a team, but also to fit into budgets. Often they do not allow hiring specialists with impeccable qualifications. In this situation, it is necessary to create such working conditions and processes for its implementation, which, even with an average level of competence of the executors, would allow to get results that exceed similar indicators for the market. Thereby, competitive advantages are achieved.

What defects are present in the software and are they all the same? This question can be answered in different ways by building various theories of their classification. Here we present the division of software defects into classes in terms of differences in their management in the process of improving software quality in accordance with the requirements of information security.

The most common flaw is the mistakes of programmers when developing the code. Often the cause of their appearance is a lack of time or loss of attention during work. For example, a programmer develops code that, under certain conditions, must perform some actions, and in all other cases, others. The programmer pays great attention to the development of code that will be executed in 90% of cases of software execution. When it comes to processing an alternative, he gets tired, his attention is scattered, and some important aspects, such as the operator determining the execution of this code fragment, are lost if the condition for the execution of the main fragment is not met.

Another characteristic reason for the appearance of errors in the program code is to make changes to it. The developer changes one piece of code that may affect the functionality of another program fragment. Then that functionality, the transformation of which was not intended, becomes changed.
')
Usually such errors are detected at the testing stage either by the developers themselves or by a special group of testers. To detect such errors, there are various theories and successful practices for developing test suites according to the terms of reference, regression tests, and other methods that allow you to write a qualitative set of source data to check a larger percentage of possible program execution scenarios.

Other defects that are more of interest to information security specialists than developers are vulnerabilities. Vulnerability - a developer's error, which could potentially be exploited by hackers in order to gain unauthorized access to the management of a software application. Vulnerability is a code that performs the right actions in terms of the required functionality, but its execution has a side effect, the presence of which the programmer can often not know. The presence of such code fragments is not a consequence of fatigue, inattention, or lack of sufficient time for testing by the developer, as in the case of an error. Often, the reason for the appearance of vulnerabilities is the ignorance of programmers about the presence of side features of the language constructs that they use to implement the conceived functionality.

Vulnerabilities are revealed by experts in the field of code analysis who are aware of the presence of side effects in various language constructs. Also, many vulnerabilities can be detected as a result of software testing for information security requirements using special penetration tests. However, a more effective method of detecting them is a semi-automatic static code analysis, which is performed by experts using special tools.

The most unpleasant in terms of detectability defects are undeclared software capabilities (NDV). Undeclared features are the right code in terms of both functionality and information security, so it is difficult to detect it with automatic methods. However, this code implements the functionality that was not conceived by the customer - the developer introduced it for his own purposes. Usually NDV is divided into bookmarks and a secret entrance (back door).

A bookmark is a functionality that is performed upon the occurrence of certain conditions and performs the actions conceived by the developer. Often bookmarks are used to implicitly manipulate software. One of the most famous cases of bookmarking is the history of the City Bank developer. The programmer did not know what to do with the difference that arises when rounding up the results of arithmetic operations when calculating interest on customer deposits, and did not come up with anything better than accumulating it on his personal account.

Secret login is a code that allows a programmer to gain control over the software, bypassing the rules specified in the terms of reference. Most often, secret inputs are filled with software that is developed to order, so that you can perform remote diagnostics of errors in the operation of a software application by the customer.

It is impossible to detect undeclared features completely automatically, since such a code is correct. Experts in the field of information security find such defects by means of manual code analysis or using software tools that allow detecting patterns of language constructions characteristic of NDV construction in the source code.

Where do defects in software code come from?

Errors and vulnerabilities in the program code usually appear not only due to the fact that technologies are changing, and developers do not have time to adapt to them, but also because of the incorrect construction of the software development process.

Often, software requirements change faster than the IT team manages to implement them. One technical task is given, it is worked out by the architect, designers and transferred to the work. But in the process, the customer of development understands: new market conditions require that the software being developed fulfill another functionality. Despite the objections of the IT team, changes are made to the project documentation, and often directly to the code, breaking down the elaborate architecture.

Another cause of errors and vulnerabilities is the complexity of the technologies used in the modern IT industry.

Developers are forced to use technologies that themselves may contain bugs and vulnerabilities, and also contribute to the emergence of new ones as a result of their incorrect introduction into the software being developed. Modern software products are multilingual, cross-platform, the connections between the components of which they are composed are so extensive that the programmer is simply unable to keep all the features in his field of attention. In addition, since software systems are developed by a team of specialists, errors and vulnerabilities are often hidden at the junction of components for which different people are responsible.

The appearance in the code of undeclared capabilities is purely personal in nature and is hardly controlled through the introduction of modern software development technologies. Although the practice of cross-checking development (before the code falls into the main branch of development, it is necessarily checked by another programmer) and other organizational measures have some success. It is possible to detect undeclared features in a code that was developed to order and where NDV were introduced specifically, only through its analysis.

Is it possible to control the presence of defects in the program code?

Today, all software that is operated in Russian companies can be divided into categories:

• Self-development is software that is developed either by the forces of its IT team or a third-party developer according to the technical specifications issued by the customer.
• Standard software developed by a Russian manufacturer may have been customized and adapted for business.
• Software developed by a small foreign manufacturer.
• Software developed by the global IT giant and delivered as a set of ready-made modules.

Defects in software that is developed independently, it is recommended to reduce and control through the implementation of the practice of development of reliable software (Security Development Lifecycle, SDL), developed by Microsoft. One of the necessary conditions for its use is the availability of code analysis tools in the development cycle. So, at the development stage, programmers should use a static code analysis tool that allows detecting vulnerabilities directly while writing code. At the testing stage, in addition to conducting regression testing and testing on random data, it is recommended to use tools for dynamic code analysis that allow you to test a software product using penetration tests.

To date, several instrumental code analysis systems are presented on the market, both static (source code using the white box method) and dynamic (without a source code using the black box method). In addition, leading code analysis tools from manufacturers such as HP and IBM offer a combination of static and dynamic analysis, which allows you to display the results of dynamic analysis on the source code. We can say that currently the most effective code analysis tool that offers static, dynamic, as well as hybrid analysis in combination with a user-friendly interface and a good library of vulnerability search rules is HP Fortify tool.

If the software is developed to order, then upon acceptance it must necessarily be checked for defects. This can be done by the internal team for quality control of software products in terms of functionality and information security requirements. The audit may also be third-party, which involves the involvement of independent experts.

It is difficult to control vulnerabilities in software that is supplied to order, since information about the presence of defects goes a long way through inspections, and then there follows a no less lengthy process to eliminate them. However, this does not mean that such software does not need to be checked and should be exploited as a “cat in a bag”. It is recommended to perform vulnerability monitoring by properly setting up perimeter protection.

The key to a successful business is not the effective solution of problems, but the prevention of their appearance. Proactive management has long conquered the world, proving its effectiveness not only in theory but also in practice. Adhering to these principles, we provide a full range of services for analyzing software products for information security requirements:

• NDV detection;
• vulnerability detection;
• development of recommendations for addressing identified vulnerabilities;
• development of protection recommendations, while developers eliminate the identified vulnerabilities;
• building a full cycle of developing a secure code (SDL).

Proactive management of vulnerabilities in software that is operated by a business, while not only performing a service function, but also is its competitive advantage - this is the modern secret of success.

Article author: Ekaterina Troshina