Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Bug-free and Secure Applications: New Tools and Approaches Required

by Tim Hudson on 7/13/2005
Topics: Software Security

Developers know less about the technology they are using these days than ever before.

Complex systems, third party black-box components, integrated development environments and code wizards all work to hide "unnecessary" details from the developer.

In an effort to make individuals more productive, we have reduced their knowledge of overall system architecture and how things work. We have hindered developers' abilities to handle many critical things in a sensible manner. And so, in consequence, the rate of production of applications with serious security flaws has actually increased.

Those that do know about issues like system architecture and secure coding are generally more focused on policies and corporate compliance programs and seem to have little impact on the actual code produced by developers in their organizations -- if any of the industry statistics on bugs in applications are valid.

We are looking at a strange paradox: There have never been more developers. There have never been more applications. There are more technologies and solutions available to developers for solving security problems than ever before. Yet, despite this, bugs are more prevalent than ever.

Which begs the question: what is wrong with the approaches that we as an industry are applying to solve this problem?

A simple classification of what has been done to this point breaks things down into two main approaches. The first approach I call "fix the developers" -- which is to turn all developers into security experts -- something which is rather impractical given the many other demands on these individuals and the amount of specialist knowledge needed to be an effective security expert.

The second approach I call "ignore the developers" -- namely to build security systems which operate entirely independently from the application developers. This fails for some fairly simple reasons -- there is no single approach to solving all security problems. Different contexts (or circumstances) require different solutions. The application developer has the details of the context which the security system needs, and so the approach of isolating the developer entirely from security related details precludes access to essential information.

Neither of these approaches is likely to impact the underlying problem of more bugs making it out in application code.

There is no reliable manner for a security system to guess the context of operation intended by an application developer without additional information. How can a security system guess what information is a sensitive financial transaction and what is not without being explicitly informed?

Basically stated, the application developer has the context necessary for the security system to be able to make the appropriate choices in terms of security technologies to use. However there is no clear way for the application developer to communicate that information to the security system in a manner which doesn't involve the developer becoming aware of security related information which they should not need to know. Where the application developer does not have that information they act as the agent of the end user for communicating that context.

If I'm sending details of what changes to make to where my salary is deposited each month, I want that information to be kept private and for there to be verification that it came from me before any action is taken. That's the level at which a developer should be thinking -- not down at the other end where it is S/MIME encrypted and sent over a TLS connection to head office using AES-256 as the cipher with RSA 2048 bit keys and mutual authentication chaining through the corporate trust hierarchy for identity confirmation using the appropriate corporate directory...

Why aren't there solutions which operate at that level -- allowing an application developer to continue to think in terms of classification of information, and the origin and destination of the information flow, in a manner which can then be used to map through to the appropriate security technologies to use? Developers should use their own (existing) vocabulary to describe information.

It is an interesting exercise to visit an organization and look through its security framework and policies, and then start looking at the applications being developed. Generally none of the corporate terminology or guidelines actually makes it down into the systems being produced. This gap is one that should be closed and may require development of new tools and approaches.

In summary:

Context-free application of security doesn't work.

Expecting application developers to understand security is unrealistic.

Defects in applications and development frameworks are here to stay.

Tim Hudson RSA Security, Inc

Comments
Security isn't the only thing you need to understand...

I've been bitten by this lately: the complex tapestry of legal red tape that surrounds development. Take the case of a project you've been involved with, OpenSSL.

OpenSSL is released under a BSD-like license that includes an "advertising clause" stating that any product that bundles OpenSSL must advertise it along with an advertisement for their product. A strict interpretation of the GPL states that a GPL application can not release a binary linked against OpenSSL for this reason.

A lot of people have worked around it, usally by adding an exemption to the GPL in their license (but even this has it's own set problems) A lot of people don't even *know* they're breaking the rules! This is usually because they haven't read the licenses on the software they're developing/bundling/linking against.

If only it were that simple... even if OpenSSL is a few steps down the chain, the GPL is still being violated: Take the case of the freeradius project. It is released under the GPL and comes with a plugin allowing radius authentication via a postgresql database.

Postgresql's license and the GPL are in harmony. Postgresql's license and the OpenSSL license are in harmony. But if a vendor's version of postgresql is linked against OpenSSL, you can't link freeradius's against those pg libraries anymore because that would violate freeradius's GPL.

This is just one example of many. As I stated above, many GPL projects have added an exemption to the GPL to their license, stating that you can link against OpenSSL even though it's usually against the rules. This solves the problem for those projects... until other another piece of GPL software wants to interact with the product that has the exemption. Then we start all over again.

How can this be solved? Software developers shouldn't need to spend so much time thinking about red tape, especially when they are contributing to open source and expanding the abilities of the human race as a whole. If a new version of SSLeay was released with a new license that did not have the advertising clause, then OpenSSL (which is based off of SSLeay) could follow suit, and people wouldn't have to muddle their heads in legal space just to have their GPL app talk securely with other systems that use OpenSSL.

Tim, if you could make sure Eric Young sees this as well, I'd appreciate it, and I hope you two find it in your hearts to do such a small thing to save these developers from this headache.

Thanks, Tyler

- Tyler MacDonald

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication