GUEST ESSAY – The role of automation in keeping software from malicious, unintended usage

By Dan Chernov

Writing a code can be compared to writing a letter.

Related: Political apps promote division

When we write a letter, we write it in the language we speak — and the one that the recipient understands. When writing a code, the developer does it in a language that the computer understands, that is, a programing language.  With this language, the developer describes a program scenario that determines what the program is required to do, and under what circumstances.

If we make mistakes or typos in the text of the letter, its content becomes distorted. Our intentions or requests can get misinterpreted. The same thing happens when the developer makes errors in the code, resulting in inadvertent vulnerabilities.

Then the operating scenarios of the system become different from those originally intended by the software developer. As a result, the system can be brought into a non-standard condition, which was not provided for by the software developer. Thus, an attacker can manipulate these non-standard conditions for their own purposes.

As an example, let’s take SQL injection, one of the most well-known methods of hacking online applications. Suppose we have an online service, an online bank, for instance. We enter our login and password to sign in.  In a SQL injection attack the intruder inserts malicious code into the lines that are sent to the server for analysis and execution. With a user account, the attacker can bring the system into an abnormal condition and get access to other users’ accounts.

Of course, the developer never intended for the system to be used in such a way. Yet when writing the code, the developer made mistakes that led to the vulnerabilities which made such abuse possible.

More code, more risk

Chernov

Information systems are becoming more complex, therefore, the amount of code is increasing as well. A new mobile app, for instance, requires as many lines of code as a 15-year old Linux kernel. At the same time, nowadays developers seldom write code from scratch. They put in the ready-made code pieces, i.e. microservices assembled in software containers,  and then add 10 to 20 percent more to create the new app.

In turn, the larger the amount of code, the higher the risk of errors that will lead to vulnerabilities. To prove it, I’ll tell you about an interesting case. We have tested a thousand popular mobile apps on a set of parameters, compliance with which, according to our estimates, determines the security of the application.

It turned out that the average security level is 2.2 points out of the maximum 5. The only thing that saves the apps from massive attacks is that exploiting vulnerabilities in mobile applications without going deep into their server part is quite expensive and time-consuming. That’s why not all attackers are ready to do this.

Continuing the analogy of writing texts, in the past, when an author wrote a book or a journalist prepared a newspaper article, their texts used to be necessarily proofread by a copy editor, a person who checked for errors and inconsistencies. Nowadays, copy editors still exist, yet their job has become optional.

The role of automation

The fact of the matter is that people have learned to partially computerize this job, inlining automatic checks into computer programs to detect errors and typos. These automatic checks have gradually become more complex and in-depth. Now the special software checks style and semantics, as well as spelling.

The same thing happened to code writing.  We have got quite smart systems such as program code analyzers that can detect inconsistencies, vulnerabilities, and breaches in the written code.

They can be used in two modes depending on the amount of code. If the amount of the developed code is small, you can run the check in manual way. If we are talking about multi-level code development involving hundreds of developers, and the amount of code written is tens of thousands of lines per day, it is much more effective to run secure development processes (DevSecOps, Secure SDLC) with a code analyzer as their core.

If to explain the mechanism of such processes through the above analogy, imagine a whole workgroup of correctors. They have a hierarchy and algorithms defining the sequence correctors comply with when proofreading, the requirements a text should meet, and the cases when a text must be sent to be revised. The same is true for secure development processes and software before its release.

This is the world of software vulnerabilities we live in today. It requires awareness and diligence to keep secure.

About the essayist: Dan Chernov is CTO of DerSecur which supplies DerScanner, a static app code analyzer capable of identifying vulnerabilities and undocumented features in Google Android, Apple iOS, and Apple macOS.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone