Writing a code can be compared to writing a letter.
Related: Political apps fuel division
When we write a letter, we write it in the language we speak – and the language the recipient understands. When the developer writes code, he does so in a language that the computer understands, that is, in a programming language. The developer uses this language to describe a program scenario that specifies what the program should do and under what circumstances.
If we make mistakes or typos in the text of the letter, its content will be distorted. Our intentions or requests can be misinterpreted. The same happens when the developer makes mistakes in the code, leading to unintended vulnerabilities.
Then the operating scenarios of the system differ from those originally envisaged by the software developer. This can bring the system into a non-standard state that was not intended by the software developer. Thus, an attacker can manipulate these non-standard conditions for his own purposes.
Let’s take SQL injection as an example, one of the most popular methods of hacking online applications. Suppose we have an online service, for example an online bank. We enter our username and password to log in. In a SQL injection attack, the intruder injects malicious code into the lines that are sent to the server for analysis and execution. With a user account, the attacker can bring the system into an abnormal state and gain access to other users’ accounts.
Of course, the developer never intended the system to be used in this way. But while writing the code, the developers made mistakes that led to the vulnerabilities that allowed such abuse.
More code, more risk
Information systems are becoming more and more complex, so the amount of code is also increasing. For example, a new mobile app requires as many lines of code as a 15-year-old Linux kernel. At the same time, developers rarely write code from scratch these days. They add the ready-made pieces of code, which are microservices assembled in software containers, and then add 10 to 20 percent more to create the new app.
The larger the amount of code, the higher the risk of errors leading to vulnerabilities. To prove it, I’ll tell you about an interesting case. We’ve tested thousands of popular mobile apps against a range of parameters that we believe determine the security of the application.
It turned out that the average security level is 2.2 out of a maximum of 5 points. The only thing that saves the apps from massive attacks is that exploiting vulnerabilities in mobile apps without penetrating deep into their server part is quite expensive and time-consuming. Therefore, not all attackers are willing to do this.
Continuing the analogy of writing texts, in the past, when an author wrote a book or a journalist prepared a newspaper article, their texts inevitably had to be proofread by an editor, a person who checked for errors and inconsistencies. Today there are still editors, but their job has become optional.
The role of automation
The fact is, people have learned to partially computerize this job, embedding automatic checks into computer programs to detect mistakes and typos. These automatic checks have gradually become more complex and in-depth. Now the special software checks style and semantics as well as spelling.
The same thing happened when writing code. We have fairly intelligent systems like program code analyzers that can detect inconsistencies, vulnerabilities and violations in the written code.
They can be used in two modes depending on the amount of code. If the amount of developed code is small, you can do the verification manually. If we are talking about multi-stage code development, which involves hundreds of developers, and the amount of written code is tens of thousands of lines per day, running secure development processes (DevSecOps, Secure SDLC) using a code analyzer is much more effective than its core.
To explain the mechanism of such processes by the above analogy, imagine a whole working group of proofreaders. They have a hierarchy and algorithms that define what order proofreaders follow when proofreading, what requirements a text should meet, and in which cases a text must be sent for revision. The same applies to secure development processes and software before it is released.
This is the world of software vulnerabilities we live in today. It requires awareness and care to stay safe.
About the essayist: Dan Chernov is CTO of DerSecur, a provider of DerScanner, a static app code analyzer that can identify vulnerabilities and undocumented features in Google Android, Apple iOS and Apple macOS.
*** This is a syndicated Security Bloggers Network blog from The Last Watchdog written by bacohido. Read the original post at: https://www.lastwatchdog.com/guest-essay-the-role-of-automation-in-keeping-software-from-malicious-unintended-usage/