 |
Cybersecurity and Vulnerability Scans |
|
 |
 |
Posted by Paul Szynol on Thursday, January 30 @ 20:35:51 EST
|
|
|
 |
 |
Just days after Slammer, the Institute for Information Infrastructure Protection has released a report entitled Cyber Security Research and Development Agenda.
The report discusses source code scanning techniques and suggests, among other things, source code vulnerability scanning software. Just as compilers scan code for errors, in other words, vulnerability scanners would detect security vulnerabilities in syntactically correct code.
The report cursorily describes the methodology: "Current research on source code analysis includes exploration of pattern matching, feature extraction, and code slicing analysis techniques."
This is, generally, an argument in favor of open source.
For "object code," the report reads, "comparative analyses, and disassembly-based techniques are being explored", but reverse engineering, I'm guessing, is likely to produce less accurate results.
Microsoft recently submitted segments of its source code to security screening by national governments, partly to prove that its software is at least as secure as open source software. In principle, Microsoft could subject the entirety of its software to vulnerability scans, and compare the results to similar tests of open source code. Arguably, a security analysis based on robust third party vulnerability scans would produce objective results.
|
|
 |
| |
 |
Login |
 |
 |
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name. |
|
 |
 |
Related Links |
 |
 |
|
 |
 |
Options |
 |
 |
|
 |
Re: Cybersecurity and Vulnerability Scans (Score: 1) by mako on Thursday, January 30 @ 21:19:44 EST (User Info | Send a Message) http://yukidoke.org/~mako/ | In principle, Microsoft could subject the entirety of its software to vulnerability scans, and compare the results to similar tests of open source code. Arguably, a security analysis based on robust third party vulnerability scans would produce objective results.
Why would these results be useful? I don't feel like getting into a "automated scans detect more simple bugs in your software than in my software" sort of argument is particularly useful since by the time you've run the scans and released the results, all of those bugs will have been fixed.
Once the tools are freely available, these types of automated scans to detect and fix security bugs will be another step in software production, open or closed.
I always felt that the "free/open source is more secure argument" was both impossible to prove and more useful in creating a false sense of security than real security. A false sense of security after all, is the only kind you can buy.
Audit your code (or use auditted code), monitor your systems, and use common sense. |
[ Reply to This ]
Re: Cybersecurity and Vulnerability Scans (Score: 0) by Anonymous (Name Withheld on Advice of Counsel) on Thursday, January 30 @ 23:36:54 EST | They might, in the very least, enforce shared standards for what qualifies as secure and an objective method for testing the software's success at meeting those standards. |
[ Reply to This ]
Re: Cybersecurity and Vulnerability Scans (Score: 1) by HowardGilbert on Friday, January 31 @ 09:01:04 EST (User Info | Send a Message) http://www.yale.edu/pclt | In 1965 Yale acquired one of the last pre-modern computers (an IBM 7094). It had a typical unchecked IBM Fortran compiler, but it also had PUFFT (the Perdue University Fast Fortran Translator). When a program ran in PUFFT, the system prevented indexing beyond the end of an array or buffer and most of the other errors that today lead to security exposures.
However, to enforce array bounds, parameter ranges, string ranges, and the like you have only two choices. Either the program must declare the constraints so the language can check and enforce them (Pascal, Ada), or the runtime must allocate only strongly typed dynamic objects so it can enforce access to them (Java, .NET).
The problem is that C is the worst programming language ever invented in which to do this sort of work. Unlike even Fortran, which comes from the dark ages, C has no meaningful declaration of arrays, buffers, or strings and no typing (since arrays, buffers, and strings are all the same thing). The bottom line is that no program can detect if a program is correct or not unless there is specific information in the program about what correct means. Is a+b=24? Well, if I don't tell you what "a" and "b" are, there is no way you can check the calculation for an error.
Security errors are simply program errors that someone has figured how to exploit for to bypass security. Far be it from me to say something bad when a group of universities want to scam money from the government, but the idea of scanning programs to automatically detect bugs in the code has been around since the first program was written. People have been working on this problem for decades, and if there had been any real progress everyone in the industry would know about it. It would be like discovering a way to turn shit into gold.
It would also be a compiler switch. That's what the /warning_level_max option (or its equivalent) is on most compilers. If anyone knew how to do it, it would be part of gcc.
The software profession worked this problem through during the early 1980s and the result was Ada. Nothing is written in Ada today, because companies, universities, and programmers decided it was "too difficult". In the rush to be first to market, companies looked for languages that would bring the code out in the least time, not that would produce the best quality code. Microsoft can be blamed for poor choices, but they were choices made by every other company and made first by universities like Yale that taught programming in the weakest language ever invented.
Hey, if someone can get grant money to work the problem that is great for them. While they are at it, lets develop some software that can take the script for Kangaroo Jack and turn it into Mourning Becomes Electra. |
[ Reply to This ]
|
|