Following Best Coding Practices Doesn't Always Mean Better Security

wiredmikey writes "While some best practices such as software security training are effective in getting developers to write secure code, following best practices does not necessarily lead to better security, WhiteHat Security has found. Software security controls and best practices had some impact on the actual security of organizations, but not as much as one would expect, WhiteHat Security said in its Website Security Statistics Report. The report correlated vulnerability data from tens of thousands of Websites with the software development lifecycle (SDLC) activity data obtained via a survey. But there is good news — as organizations introduced best practices in secure software development, the average number of serious vulnerabilities found per Website declined dramatically over the past two years. 'Organizations need to understand how different parts of the SDLC affects how vulnerabilities are introduced during software development,' Jeremiah Grossman, co-founder and CTO of WhiteHat said. Interestingly, all the Websites tested under the study, 86 percent had at least one serious vulnerability exposed to attack every single day in 2012, and on average, resolving vulnerabilities took 193 days from the time an organization was first notified of the issue."

Following best architectural design practices

[TheLink]

Following best architectural design practices doesn't mean your final building will be more secure.

Re:Following best architectural design practices

[hairyfeet]

Or to just cut past all the damned metaphors just because you teach your programmers not to have Bobby Drop Tables size screw ups doesn't mean there isn't a bazillion other ways they can screw up.

Re:Following best architectural design practices

[chrismcb]

Of course it does, and TFA even says so. Of course going to "software security training" isn't exactly a "best practice" either. Just because someone goes to a training session doesn't mean they'll learn anything.
Following best practices in code will most definitely make your code more secure. But more secure is very relative. You can still have plenty of vulnerabilities, just fewer than before.
Best practices or no, we all make mistakes, and plenty of them. It only takes one mistake to leave a hole. Whether it is a simple bug, or a design flaw. And the bad guys only need to find one flaw. So yes Best Practices help. But it doesn't mean your code is going to be Fort Knox.

"best practice" and surveys

[bickerdyke]

Asking software companies if the require their developers to adhere to "best practice" won't lead to any usefull number at all.

Or does anyone think anyone would admit to use only second-best programming standards?

Let alone the question what programming techniques count as "best practice".

Re:"best practice" and surveys

[plover]

You completely misread his essay. Yegge did not try to claim that "bugs are not a big deal" to him. He only pointed that out as a possible viewpoint of a "liberal" programmer.

However, his thesis that programmers are either "conservatives" or "liberals" is completely wrong-headed. People are either engineers (tests, proof, knowledge) or not. Static typing doesn't enter into it. The crap he was yammering about seemed written to justify his choices and his existence, not to provide useful knowledge.

Re:"best practice" and surveys

[phantomfive]

We can quote from what he wrote:

"Bugs are not a big deal.......Bugs are not a big deal!...... (This belief really may be the key dividing philosophy between Conservative and Liberal philosophies.).....I am a hardcore software liberal, bordering on (but not quite) being a liberal extremist."

He definitely puts himself on one side of the spectrum. As you said though, the whole essay could be renamed "Stuff I like and stuff I don't like." Because that's essentially what it is.

Rules should be treated like guidelines

If secure coding could be described by a few simple rules, coders would have already been replaced by programs.

Best practices

[philip.paradis]

"Best practices" is such a wonderful term; its sheer flexibility permits the person invoking it to assure his audience that he meant exactly what he said, even when he didn't say much of substance.

Now if you'll excuse me, I'm late for a game of bullshit bingo.

No surprise

[gweihir]

Secure code needs a holistic view. The usual component architecture that works pretty well for reliability and correctness, but not so well for performance, fails utterly for security. What is needed is a really competent secure software expert, that can do everything from architecture down to coding and is part of the team right from the beginning. This person must also have means to enforce security. Unfortunately, people that can do this job are very rare, and most projects do not have that role anyways.

Re: No surprise

[mattpalmer1086]

Been there, done that, made redundant.

This was at a software house selling payment processing middleware that had to be PA-DSS compliant. Achieved compliance, role made redundant.

They clearly made a risk reward calculation and decided the benefit of securing the product was outweighed by the cost of slowing development. Particularly as everyone else's security also sucked and there was no particular liability for them if a breach occurred. It's a classic externality.

I'm also on the steering committee for an initiative trying to improve software security and resilience. They also figured out that the market was failing here, and only legislation for software liability or some other mechanism to correct the externality had any chance of improving the situation. But the cure might be worse than the disease. ..

People are the primary security hotspots

[cyborg_zx]

Since that's unlikely to change good ol' social engineering is still going to be the primary tool in any would be assailants toolbox for breaking security.

Re:People are the primary security hotspots

[smooth+wombat]

Reminds me of a question I was asked in an interview: "What do you consider the most serious threat to the integrity of data?"

I looked at the person who asked the question and answered, "People on the inside." I then elaborated that the majority of data breaches and leaks comes from inside an organization, that once you allow someone access to that data, you have a potential security issue.

That wasn't the answer they wanted.

Just a thought

Isn't that why they're called Best Practices and not Perfect Practices?

In the eye of the beholder

[SuperDre]

Well.. 'Best coding practices' is all in the eye of the beholder.. what one calls best practice might look awfull to another.. there really is no 'best coding practices'..

Re:In the eye of the beholder

[CapOblivious2010]

Well.. 'Best coding practices' is all in the eye of the beholder.. what one calls best practice might look awfull to another.. there really is no 'best coding practices'..

For overall coding, you're right - it's all in the eye of the beholder. For secure coding, one simple rule (which is unfortunately much harder to follow than it should be) will avoid 99% of the problems:

DON'T EXECUTE CODE WRITTEN BY YOUR USERS!

What makes it so damn hard is the temptation (if not active encouragement by your platform) to "stringly type" all your data, combined with the temptation (if not active encouragement by your platform) to build up executable code by pasting strings together, all smothered in a rich sauce of inconsistent, confusing, and poorly-documented rules for how to escape what characters where.

Having good engineers

is more important than having managers that insist that engineers follow every guideline from the MS Press book, or whatever.

For example, one of the guidelines is always "do not use sprintf". But sprintf is perfectly safe in cases like this:

std::string myfunc( int i ) {
char buffer[80];
sprintf( buffer, "Your number=%d", i );
return buffer;
}

So what we sometimes see is a lot of mindless replacements of perfectly good function calls with slower, more difficult-to-read counterparts, where the process of substitution may have produced bugs. Ordered by management during scrum so he can rattle off metrics to his boss on how much more "secure" the code base is now than three weeks ago.

Re:Having good engineers

sprintf is a minefield of bad. You *have* to know how to use it correctly.

For example

char xyz1 =1;
unsigned int xyz2 = 2;
long long xyz3 = 3;
short xyz4 = 4;
char buffer[50];
sprintf(buffer, "%d %d %d %d", xyz1, xyz2, xyz3, xyz4);

That is a bad statement (especially if you are porting between platforms). with at least 6 different places for over runs and underruns. 1 place for a incorrect signed type. Your code btw returns a pointer from the stack. Which means it will just 'go away' and is subject to change. You may get lucky and it works for 'awhile' until you call something else.

Each datatype has its own % type. For example a short is %h most people do not know that (and that varies between different CRTs). The code I have above would overrun a buffer and read out too much data (off the stack probably from the buffer var or the padding between them). The first %d would do the same thing. The 3rd one would not read enough. Make those numbers bigger and I would overflow the buffer.

I learned this the *VERY* hard way (400+ statements all with over runs and under runs). Use printf/sprintf in the right way. Read the doc completely match your types exactly. It is also different on windows vs linux vs random embedded platform. After looking at about 6 different sprintf implementations they quality varies wildly from stupid to able to handle the above statement with aplomb.

Also just because you are using a 'type safe' language does not mean you are safe from this. Many just pass along to sprintf/printf so you are still subject to the same rules. Sometimes with even less control.

Re:Having good engineers

[Mr.+Slippery]

But sprintf is perfectly safe in cases like this:

If we make some (currently sensible) assumptions about sizeof(int), yes, that's safe. The problem is that somewhere down the road, the newbie who maintains your code is going to change it to

sprintf( buffer, "After long and careful consideration, our system has calculated your number=%d", i );

Secure code is not just "code containing no flaws", it's "code structured in such a way to guard against the introduction of flaws in further development and maintenance".

Good studies and bad studies

[SirGarlon]

I started reading the report and I quit halfway through the executive summary. This is one of those reports that says, "We documented a bunch of stuff happening. No idea why it happened, but let's speculate." I generally respect the folks at White Hat (have met several at conferences etc.) but I simply don't see the value in this report. I think they've lost track of why it's worthwhile to conduct a study in the first place. Perhaps Richard Feynman can help.

Then they obviously aren't...

[pigiron]

"best" practices. Stop reading Gartner.