Writing Secure Code: The Root Cause of the Problem?
As a security speaker and instructor, while presenting some of the security vulnerabilities we deal with on a daily basics (protocol and implementation flaws, buffer-overflows, format strings, lack of input validation, XSS, SQL injection...), I'm frequently asked about what can we expect as security pros in the coming years. I predict two scenarios:
I finished my Masters degree in Computer Science a decade ago, and at that time, I didn't go through a single security best practice in any of the different programming, software engineering and development subjects (and believe me, I went over lots of programming methodologies and languages during my 6-year university degree). Unfortunately, the situation has not changed too much nowadays.
The SANS Institute finally announced at the end of March a new initiative focused on the secure coding field, called the SANS Software Security Institute (SSI). It's started covering the most commonly used languages, C & C++ and Java/J2EE, and very soon, .NET/ASP and PHP/PERL. New languages will be added afterwards. It is time to involve the programmers in security!
As an example, the first year of the Coverity Scan project, automated vulnerability research for open source code, has disclosed more than 6,000 flaws. The commercial software is not better, and the security industry is getting crazy, as denoted by the latest MS ANI flaw. It was known 3 months ago but there was no official patch available, several third-party patches were moving around, and once the official patch was out, it caused some conflicts :(
What are some secure coding resources I can start with?
Programming languages:
Most popular languages seem still to be Java, C/C++, PHP, (Visual) Basic, Perl, Python ... with Ruby (and probably Ruby on Rails) pushing really hard.
Web sites:
- The son of the son of the son of my son will be able to make a living as a security professional.
- We finally get the idea and start fixing the root of nowadays security issues, vulnerable software.
I finished my Masters degree in Computer Science a decade ago, and at that time, I didn't go through a single security best practice in any of the different programming, software engineering and development subjects (and believe me, I went over lots of programming methodologies and languages during my 6-year university degree). Unfortunately, the situation has not changed too much nowadays.
The SANS Institute finally announced at the end of March a new initiative focused on the secure coding field, called the SANS Software Security Institute (SSI). It's started covering the most commonly used languages, C & C++ and Java/J2EE, and very soon, .NET/ASP and PHP/PERL. New languages will be added afterwards. It is time to involve the programmers in security!
As an example, the first year of the Coverity Scan project, automated vulnerability research for open source code, has disclosed more than 6,000 flaws. The commercial software is not better, and the security industry is getting crazy, as denoted by the latest MS ANI flaw. It was known 3 months ago but there was no official patch available, several third-party patches were moving around, and once the official patch was out, it caused some conflicts :(
What are some secure coding resources I can start with?
Programming languages:
Most popular languages seem still to be Java, C/C++, PHP, (Visual) Basic, Perl, Python ... with Ruby (and probably Ruby on Rails) pushing really hard.
Web sites:
- OWASP. The Open Web Application Security Project, focused on Web insecure software.
- Secure Programming.com, by John Viega and Matt Messier.
- Writing Secure Code. MSDN.
- CERT Secure Coding. CERT.
- Common Weaknesses Enumeration (CWE). Mitre.
- "Secure Programming for Linux and Unix HOWTO -- Creating Secure Software” by David Wheeler (free). C, C++, Java, Perl, Python, and Ada95.
- "Secure Coding: Principles and Practices" by Mark G. Graff and Kenneth R. van Wyk (O'Reilly, 2003).
- "Writing Secure Code, Second Edition" by Michael Howard and David LeBlanc (MS Press, 2002). And very soon... for Vista!
- "Building Secure Software: How to Avoid Security Problems the Right Way" by John Viega and Gary McGraw (AWS, 2001).
- "Secure Coding in C and C++" by Robert C. Seacord (AWP, 2005).
- "The Art of Software Security Assessment" by M. Dowd, J. McDonald, and J. Schuh (AWP, 2006).
- Flawfinder by David Wheeler (free). C & C++.
- Valgrind, invalid memory usage (free). Linux. C & C++.
- Rational Purify, invalid memory usage (commercial). Windows. Java, C++ and .NET.
- ITS4 by Cigital (free). C & C++.
- RATS by Fortify Software (free). C, C++, Perl, PHP and Python.
- Other tools and more...
Labels: Programming