This article can also be found in the Premium Editorial Download "Information Security magazine: Negative exposure: Web scanners reveal unknown holes."
Download it now to read this article plus other related content.
The software industry is in a state of disarray as hackers continue to get the best of developers, finding vulnerabilities in places where no one remembers to look. Buffer overflows, SQL injection errors and covert channel attacks are just a few of the ways hackers can trip up the unsuspecting developer. And the "point-and-click" world has made these opportunities available to any kid with a computer hooked up to the Internet.
The only way to address this problem is to play by hacker rules and beat them to the punch. In software development, this means attacking your own software-testing for failure.
Cenzic offers a tool, Hailstorm, that helps developers build security into their code. Why Hailstorm? Why go through the hassle and cost of rigorous security testing?
Well, for one thing, the argument for securing code is more compelling than the excuses for failing to do so. It makes economic sense. A recent study commissioned by the National Institute of Standards and Technology (NIST) asserts that software bugs cost the U.S. economy an estimated $59.5 billion annually. More than a third of those costs, $22.2 billion, could be eliminated with improved testing and earlier identification of errors.
The sooner you can identify and fix a vulnerability, the lower the cost. This seems obvious.
So why do we put ourselves through security hell every time a new software solution is deployed? Time. It takes time to test software, and time costs money, so we spend time to ensure the functionality, but not much else.
Another, more glaring reason is that we don't know how to test for failure. Testing for security problems may seem like an amorphous and open-ended process. It's a bit like the search for extraterrestrials--the fact that nobody has found any yet doesn't prove they aren't out there.
To assure security and cut costs in the long run, Gary McGraw, coauthor of Building Secure Software (Addison-Wesley, 2002), advocates incorporating security directly into the design and development of an application. "You can't bolt security on; you can't bolt quality on; you can't bolt reliability on; you have to design them in," he writes.
And then test. That's where Hailstorm comes in.
Beating Up on Code
Hailstorm tests an application at any layer--network, OS or application. While traditional methods incorporate functional testing, Hailstorm takes a "black box" approach in an attempt to break code. In essence, it looks for ways to "surprise" the application by manipulating expected or defined inputs and variables in unexpected ways. Software that doesn't scrub its inputs may "give up" and return inappropriate data, a command prompt, or have some other unintended outcome.
Cenzic calls this approach "software fault injection," providing an automated, routine, repeatable approach to security testing. For example, the Delimiter fault injector attempts to confuse or crash parsing processes, which are crucial in any application using XML. Its Buffer Overflow fault injector will add increasingly large amounts of data into an input field in an attempt to invoke unpredictable server states. After testing, Hailstorm reports on the faults exposed by the injectors (see Figure 1).
Hailstorm passively monitors and records an application, all the while collecting the inputs--network information as well as the inputs to DCOM, HTTP or SQL over sockets communications. Then it manipulates those variable inputs, using typical hacker techniques, such as IP fragmentation and TCP segmentation at the network layer; Windows and Unix command injection at the operating system layer; and buffer overflows and relative paths at the application layer.
Taking the Next Steps
There's a lot of work to be done to design secure and reliable applications. For starters, get a copy of Building Secure Software. Then consider a security code review by consultants such as Cigital, Foundstone or @stake. A handful of freeware and open source code scanning tools exist also, including Cigital's ITS4, David Wheeler's Flawfinder, and Secure Software's RATS . And, of course, conduct rigorous QA testing--Hailstorm can certainly help there.
Make no mistake: while security QA is a challenging and time-consuming process for developers, exploiting flawed code is just point and click away for even the least sophisticated hackers, thanks to all the easy-to-use tools and techniques being shared across the Internet.
Building in security from the ground up is a basic tenet of information security, and it should be considered essential to any enterprise security plan.
This was first published in January 2003