VII. Programs

Rugged is ….knowing that ALL software (programs, applications, operating systems) has bugs or vulnerabilities. Software is the method by which people interact with data so secure software is critical to protecting data.

Since the beginning of computer program writing, there has been an average of one “bug” per 10,000 lines of programming code.  All operating systems (Windows, Mac System X, Unix, AIX, Linux (Ubuntu, RedHat, Slax, Debian etc), iPhone, Android,  have from hundreds of thousands to millions of lines of programming code.   So ALL OPERATING SYSTEMS have software bugs or  flaws or vulnerabilities that,  when discovered, require updates and patches.   As consumers we should be complaining to companies to better test their software for vulnerabilities before releasing it for commercial sale.  As business owners we need to insist that developers working for us write secure code.  It is cheaper to write secure code initially than to have to go back and write patches or correct programming code.  But that has to be planned early, up front, before a project is initiated.  The cost of fixing bugs in code once it is in production  (thanks to “Xxyyz” for the link)  can be many times that of fixing it early in the development cycle, but only consumer pressure will motivate companies to write more secure programs.

A program is written to make use of data.  A major concern for a responsible professional programmer is to make sure the data used by a program he or she writes, is not susceptible to data compromise.  Writing secure code should be a badge of honor with every software developer and they should insist that their code is run through vulnerability checkers to verify it is secure.  This hasn’t been taught in most colleges so securing code is a skill and attitude those currently in the workforce must develop themselves.  The Open Web Application Security Project is a worldwide non-profit organization focused on improving the security of application software and is a superb free resource to all program developers.  (This Cyber Rugged website was created in cooperation with Rugged Software which was started by several involved with OWASP.) The OWASP Top Ten Project provides a powerful awareness document for web application security developers which every programmer in the world should know about and every business manager should insist that programmers use.

Databases

Databases are at the nexus of many of the attacks the last few weeks by “lulzec”. How is our database security? 100% of Tested IRS Databases are Vulnerable to Hackers according to the Department of Treasury Inspector General.  Different teams manage different parts of the processes for securing databases.  There are no industry accepted database security processes or requirements, and securing a database is not as straight forward as protecting a network or endpoint.  This is a link to an 80 page document that contains 6 major phases and 21 subprocesses and dozens of operational metrics that can be used to evaluate database security.  Executive Summary  and Building A Database Security Program 

Cookies

Web programmers need to be particularly cognizant of how their code handles cookies.  Cookies contain session information which when mined can provide information on authentication mechanisms.  For browser users, keeping a browser session open may permit unscrupulous people to “mine” the session authentication credentials for an e.g. online banking transaction.  “Cookiejacking” exploit is explained in this article.

Script Compilers — Interpreters

With the advent of Web 2.0 in the late 1990’s, major application developers began including reduced function compilers that read scripts (called interpreters)  into many applications.  Windows Explorer (the Windows interface)  has an interpreter in it, Windows Internet Explorer (the browser)  has an interpreter built into it,  Firefox, Chrome, Safari and other browsers all have interpreters built into them.  Microsoft Office, OpenOffice, Adobe Reader, and many other programs all have script interpreters built into them.

Any program that reads (interprets) HTML or allows you to enter data into it, or allows creation of macros very likely has an interpreter built into it.  Interpreters can read simple English text and see it  as command syntax to perform actions (even if a command wasn’t the intent of the text writer).  This means that anyone on the Internet can write an email with commands in the text, send it to everyone and the application (browser or email client) that email is read in will execute the text in that email.  This is one of the reasons email and web browsers are the most serious attack surfaces for Internet exploits.

Language of the Web — HTTP and XML

Tim Berners-Lee invented a plain text language called Hyper Text Markup Language to make it as simple as possible to display web pages graphically instead of in the simple command line text that the Internet used previous to the World Wide Web Consortium (WC3) establishing the World Wide Web.  The WC3 then created a straightforward language to be used over the Internet called Extensible Markup Language to provide a method for formatting data so that data written in it could be read by many applications.  XML applies context to the data and separates data content from data presentation which uses HTML.  XML is critical for computer systems and different platforms to be able to easily exchange data among themselves.

On the horizon —

Hyper Text Markup Language HTML 5 (Wikipedia)  HTML 5 is the latest improvement which aims to support the latest multimedia capabilities while keeping the language itself readable by humans, but consistently understood by computers, parsers, browsers etc..  It adds new syntax that incorporates video, audio, canvas, and other features that will make it able to handle multimedia and graphical content without proprietary plugins and APIs.

WebGL (Wikipedia) — is Web (based) Graphics Library which extends the capability of JavaScript to allow it to generate interactive 3D graphics within any compatible web browser.  Web GL brings hardware accelerated 3D graphics, with over 60 frames per second, to the browser making it possible to play e.g. Angry Birds in a HTML 5 compatible browser  instead of as a stand alone application.

20 Responses to VII. Programs

  1. 13128 says:

    The problem with source code bugs is growing rapidly due to the emergence of low cost or free apps and programs designed by programmers that are not necessarily focused on the security of their code. While their code may not be deliberately malicious there may exist flaws in the code that are easily exploited.

  2. GTM says:

    Same guy that invented the Internet (Berners-Lee) invented the plain text language…. interesting.

  3. Kubla says:

    Let’s see…I’m supposed to be aware of phishing, keep kids from using my computer and infecting it with pedophiles, watch out for bogus lookalike websites, encrypt everything, never give my info to companies, the gov’t, social media or doctors, read all the end user agreements and trust no one.

    I’m just going to unplug my computer and go live in a cave.

  4. xyzzy says:

    I inherited a pile of code from the previous IT contract, and it was FULL of SQL-insertion vulnerabilities.

    and some good information about the increasing cost of bug fixing and we progress further down the development life-cycle: http://www.superwebdeveloper.com/2009/11/25/the-incredible-rate-of-diminishing-returns-of-fixing-software-bugs/

  5. hacker says:

    “Since the beginning of computer program writing, there has been an average of one ”bug” per 10,000 lines of programming code.”
    Wow, if we were only ‘average’ the amount of help desk tickets would greatly diminish.
    BTW, this is why my code is simplistic. Simple is easy to write, easy to maintain, easy to understand, easy to secure. People who try to write fancy, overly complex code never seem to understand this.

  6. Chris says:

    I still find it hard to believe that in all the time Windows has been out, the product still has security holes in just about every part of it. I also find it hard to believe that if people can figure out how to exploit these holes there isn’t a software tool capable of scanning the code accurately enough to find the holes these humans are finding. Those people that find bugs and exploit them can’t be so highly skilled that a computer can’t scan code and find these problems before a person can.

  7. s says:

    “As consumers we should be complaining to companies to better test their software for vulnerabilities before releasing it for commercial sale.”

    Or we, as consumers, could choose not to purchase any more software (or “upgrades”) from the same companies that keep producing buggy software.

  8. ALP says:

    Let’s see, according to Knowing.net Windows XP has approximately 40 million lines of code, so we could expect about 4000 bugs. Yea, that sounds about right.

  9. znrn says:

    I have used the OWASP website many times for information related to secure software development. If you do any kind of coding or website management then please do yourself a favor and become familiar with OWASP!

  10. Pam Perret says:

    Everyone should take security seriously, even the part-time-for-fun programmer.

  11. Longshot9 says:

    I liked the Dilbert comic where the programmers were paid a bonus based on the number of bugs they found and fixed in their own software. Wally spent his lunch writing a new car. That’s pretty close to the idea of constant software patches for bad code. There has to be some incentive to write good, clean code. Right now it seems more based on delivery schedule and “fix it in the upgrade.”

  12. OctalMan says:

    The idea that there’s 1 undiscovered bug per 10K lines of code is a pretty old software quality measurement that I recall quoting once from an ACM article. That was the figure we used back in the mid 1980s for QUALITY code. Back then, an OS had perhaps 1M to 5M lines of code – depending on how you measured lines and what you included (utilities, libraries). Windows XP is said to have 45M lines. Debian Linux is said to have 300M. http://www.springerlink.com/content/c516h8t6l16251l5/?p=ec540333df2b4b38a6aff2d8f6990e2f But all this ignores the seriousness of a given bug, and the bald fact that software has not been 100% testable since perhaps the early 1960s. Now, we have marketing and management thinking that Agile Development=Not As Much Effort or People, and ignoring the actual principles of QA even more.

  13. Buster says:

    A problem with some programmers I’ve worked with is they don’t believe they wrote bad code. Or, the customer is wrong and not a priority. Only the next release or next big fancy product launch was a priority. Ego and attitude have alot to do with how some software and hardware development groups do their jobs.

  14. Mike says:

    Amazing how in the early days I was able to run multiple programs off of an 40MB hard drive and now we have Terrabytes to cover the same thing. What ever happened to programmers? Did the advent of large hard drives make them sloppy?

  15. DJM says:

    It is almost impossible to test large programs for every vulnerability. Some problems may not be discovered for for months and may only exist under the most extreme circumstances

  16. AID says:

    Good to remember the terminology …….Knowing ALL software (programs, applications, operating systems) , bugs or vulnerabilities, databases, cookies, web languages and horizon.

  17. EGK says:

    Find me the perfect human being, and I’ll find you the perfectly falwless program 🙂

  18. Corbyn says:

    Codes were invented to be broken. There is always someone or some entity out there with the playbook in hand. We should go back to the way things were before techonology took off. None of this nonsense was prevalent.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s