Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over Half of Software Fails First Security Tests

Posted by Soulskill on from the over-half-of-users-are-oblivious dept.

An anonymous reader writes "Even with all of the emphasis on writing software with security in mind, most software applications remain riddled with security holes, according to a new report released today about the actual security quality of all types of software. Close to 60 percent of the applications tested by application security company Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing. And this data is based on software developers who took the time and effort to have their code tested — who knows about the others." Reader sgtrock pointed out another interesting snippet from the article: "'The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That's encouraging,' Oberg says. And it was the quickest to remediate any flaws: 'It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,' he says."

19 of 145 comments (clear)

  1. That's great. by cbiltcliffe · · Score: 3, Insightful

    Now they need to test the users.....

    --
    "City hall" in German is "Rathaus" Kinda explains a few things......
    1. Re:That's great. by Volante3192 · · Score: 3, Funny

      Of course, 60% of the apps they tested were web applications, leaving 40%...

      (Yeah, yeah, it's unlikely that the only apps that failed were web apps, I just thought it a spiffy coincidence that the % of apps that failed testing also equaled the % of web apps tested.)

    2. Re:That's great. by Anonymous Coward · · Score: 3, Insightful

      Your viewpoint is a little close-minded. Most software written is never even sold. It is mainly in-house custom apps in companies where it would be pointless to try to exploit it because there are easier ways to get the data. And how about the software that runs completely closed on microcontrollers that are in every single product sold today?? Think before you post. :)

    3. Re:That's great. by tjarrett · · Score: 3, Informative

      We scan selected open source projects on a pro bono basis and reach out to the project teams to share the findings with them.

      Disclaimer: I work for Veracode and was a coauthor of the report.

  2. What emphasis on security? by Jurily · · Score: 4, Insightful

    I thought the only measure of a project was whether it makes the deadline.

  3. Bolting On by Chris+Lawrence · · Score: 3, Insightful

    As Bruce Schneier has said, trying to bolt on security to an existing product or application can be very difficult and time consuming. Sometimes you even have to redesign things. Designing for security and using secure coding practices from the beginning, however, makes it much, much easier.

    1. Re:Bolting On by Anonymous Coward · · Score: 3, Insightful

      Designing for security and using secure coding practices from the beginning, however, makes it much, much easier.

      Sure it does... but that sort of design takes money and expertise. More often software is dreamed up and planned in ad hoc meetings. For example, a person in marketing decides it would be a great idea if their customers can get updates on their phones and Nitwitter accounts. In a 4PM meeting the marketer proposes it to his boss as a necessary value-add function without which the competition would eat us alive (1).

      The next day, a "planning" meeting is called. The marketing manager tells (note, I say "tells" not "asks for input") the programming manager that the company needs mobile updates. The company needs (note, it's changed from the "Marketer wants" to "company needs") it before the next peak retail opportunity. This opportunity is either Valentine's Day or Easter or Summer Break or Thanksgiving or some other arbitrary retail holiday.

      The programming manager tells his programmer, "We need it by end of week."

      The programmer begins to think about the problem. He raises objections to the timeline and lack of design. The marketing manager cries to the CEO. The CEO screams at the CTO. The CTO screams at the programming manager. The manager tells the programmer that he's wasted a day and we still need it by end of week.

      The programmer thinks about coding and how to grab the data he needs. He browses a database and finds a table that he needs. To make it accessible to the web frontend, he opens up some permissions. Maybe he creates a new view that combines multiple tables to make his code easier or faster. This new view now violates PCI and SOX regulations, but he doesn't care.. this is just for testing until he can figure out how to do it properly. He stays up all night and gets a proof of concept working. The next day he shows it to his manager.

      His manager says, "OK, tell them it's done."

      The test software becomes production.

    2. Re:Bolting On by Bert64 · · Score: 4, Interesting

      For another encryption example, look at how windows and linux implement user password hashing...

      Linux takes the plaintext password via an input channel (ssh, telnet, gdm, local console etc), passes it to PAM which loads the corresponding password from the shadow file, encrypts the user input with the same algorithm and salt, and compares the output. The backend (pam, encryption cipher) can be changed without affecting how the frontend, making it easy to use a different encryption algorithm as increases in computing power, or discovery of cryptographic flaws, renders the old ones insecure.

      Windows, in a somewhat misguided attempt to prevent plain texts being sent over the network, effectively uses the encrypted hash (yes its more complicated than that, but the general idea is that only the hash ever gets used and the password isnt sent in the clear - unix solves this at a different layer by using encryption of the plaintext password such as ssh)... Because of this, the hashing algorithm is difficult to change. Older windows used lanman which is laughably weak, while modern windows uses ntlm by default which is somewhat stronger but not great... However, modern windows still has lanman support for compatibility reasons, and until vista/2008 it was still enabled by default. If they change the hashing algorithm, then they will still have to retain the old ones for quite some time in order to have compatibility, and also change the protocols to handle a third possible algorithm.
      The fact that you can use the hash without cracking it first is also a design flaw, this isn't possible on unix or anything else i'm aware of.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  4. Well now by Monkeedude1212 · · Score: 4, Informative

    That's extrapolating a bit much, isn't it? And scanning through the article, they don't even name the sample size, just percentages.

    And yes, they mention that its only the stuff that they test, "so imagine what the rest is like". Well - thats it though, if someone is professionally developing with security in mind, they probably know how to test it in office or know somebody who can. Thus - no need to pay this corporation to test something you can do yourself.
    If you are developing with security in mind - but aren't sure exactly what you're looking to protect against - THATS when you go to companies like these.

    This is a pretty much skewed data source (probably a slashvertisement for them, too), and is the only study of its type. Take it with a weeks worth of salt.

  5. Security is no selling point by Opportunist · · Score: 5, Interesting

    It just is not. Actually, quite the opposite: The better your security, the more your potential customer will be put off by it.

    Users do not care about security until it is too late (i.e. until after they got infected), and only then they will bitch and rant and complain how insecure your piece of junk is. If you, otoh, take security serious and implement it sensibly, they will bitch and rant already at install because they hate the hoops to jump through and the obstacles to dodge to make your software "just work".

    Security is the antagonist to comfort. By its very definition. No matter where you look, security always means "additional work". Either to the user, which means overhead to his work, or to the program, which means it will invariably be slower than its competing products.

    Thus security is not only an "unnecessary evil" when selling your product. It is actually hurting you when you try to convince someone to buy your stuff. Your software will be slower due to its security "burden", and it will be less comfortable to the user. The user does not see the glaring security holes when he buys the product. Only after, when the product bites him in the ass because it opened him up to an attack. But by then, he will already have paid for your product. And he will have bought your product instead of the more secure product your competitor offered, because yours was faster and easier to use.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Security is no selling point by characterZer0 · · Score: 3, Insightful

      Protecting against SQL injection attacks, XSS, buffer overflows, and validating user input does not put off users.

      --
      Go green: turn off your refrigerator.
    2. Re:Security is no selling point by ka9dgx · · Score: 3, Informative

      Actually, good security would be a GREAT selling point, if someone actually implemented it.

      Security is the ability to run code without unwanted side effects. Windows, Mac, Linux do not offer a simple way to do this. The closest you can get is either Sandboxie on Windows, AppArmor on Linux, or setting up a VM per program.

      If you offered a way to specify the limits of side effects on an application before and while it runs, you could make a ton of people very happy. I suspect there is some money to be made there as well.

  6. Security firm says security is an issue by SlappyBastard · · Score: 4, Insightful

    Hmmm . . . there's a word for that . . . XKCD, can you help me?

    http://www.xkcd.com/703/

    --
    I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
  7. What about commercial open source software by weeble · · Score: 4, Informative

    So lots of comparisons between open source and commercial software; however there is a lot of open source software that is sold, i.e. commercial. In addition it has been shown that most of the code for the Linux kernel was developed by people who were paid to do it by Red Hat, IBM, Intel and others. Does that mean that the Linux Kernel is commercial software.

    May be the article should refer to closed source proprietary and open source software.

    The article reads as if the author does not fully understand the how Open Source software is developed and is just a large advert (a.k.a. press release) for the auditing software.

    --
    Slashdot Beta should die a painful death.
  8. Re:Open source doesn't necessarily mean dangerous by Opportunist · · Score: 3, Informative

    Quite the opposite. OSS is often far more secure than its "commercial" counterpart, for the obvious reasons.

    1) No deadline. OSS is usually "done when it's done". Most OSS software I know is in perpetual beta, never reaching what its maker would call a "release state", but offers at least the same level of security and stability (if not better) as its commercial counterpart. Simply because there is no date we have to push something out the door, secure or not, ready or not, we have to make it for christmas (or for the new Windows version).

    2) No need to "sell" the software. You needn't dumb down and strip security so potential customers accept the level of burden security adds to the fold. Security is never free. It always comes at the price of overhead. When you have two software tools available, customers will pick the one that is more "accessible". Which usually also is the less secure one. Because security often adds layers of additional overhead (either to you, the user, slowing you down and requiring you to enter passwords or access things in a certain way, maybe even with additional tools instead of from "inside" the tool you're mainly using, or to the system, meaning your software will run slower).

    3) Peer review. Your code can easily be reviewed by thousands of "hackers" trying to find an easy way into your system, instead of having to poke at decompiled code. If you can read the source, far more people are able to poke and prod at it, resulting in more secure software instead of less, because security holes get found faster and, in turn, fixed faster. By the time you start using the product, a few months after its release, you may rest assured that all the easy to find security holes have been found by hobbyists. With CSS you often need experienced ASM cracks to dig those holes up, resulting in fewer people able to look at those holes and thus a slower patching cycle.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re:The other half by Opportunist · · Score: 3, Funny

    Nah, the other half crashed when pitted against the security test suite.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  10. In other news... by GuruBuckaroo · · Score: 3, Insightful

    More than 90% of all software tested fails to compile the first time. Seriously, that's what security testing is for - finding holes so they can be filled.

    --
    Poor means hoping the toothache goes away.
  11. Re:As misleading as 'Show all warnings' by clone53421 · · Score: 3, Insightful

    I've worked with managers and developers that want to eliminate all the warnings in the source.

    There’s a good reason for that, and it’s not as petty as you think.

    Warnings exist to let the programmer know that the actual behaviour might not be what the programmer thought was most intuitive. If it’s implicitly casting a float into an int, you damn well better know what that means and what effect it’s going to have on your code... it means that 1/2 == 0, for starters. Similarly, there’s absolutely no reason why you can’t use (count = 5) as an expression, except that its value is always 5, not true or false as you may have incorrectly thought.

    Lazy, sloppy, or inexperienced programmers are going to fall for these sort of pitfalls. Experienced, careful ones won’t nearly as often. But if you force a lazy, sloppy, and inexperienced programmer to learn why the compiler is giving a warning and eliminate it, he’s going to end up slightly less lazy, more careful, and with a little more experience than he started with, because he’ll hopefully understand the warnings by then and know what the code is actually doing.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  12. Secure web app design is HARD by einhverfr · · Score: 3, Insightful

    I know you meant it in jest, but there's a serious point there.

    First, having written a number of small utilities, and some larger GUI-based tools, I have to say that web app design is fundamentally more difficult primarily because you have a number of specific challenges in this area that only apply to them.

    Not only do you have to deal with all the usual problems, but you also have to deal with XSRF, XSS, and so forth. This is because you are you have a program which is generating HTML code as output, not merely a nice UI that is the product of the code, and this is happening in a stateless environment so information is somewhat limited in the interaction well beyond what it would be normally. Furthermore, authentication is more difficult in a stateless environment, especially where multi-tier systems are involved.

    Most people don't appreciate how easy these are to mess up and how hard they are to fix when a developer creates a project without adequate thought to security in the first place.....

    --

    LedgerSMB: Open source Accounting/ERP