Printer Friendly Version

Code Weaknesses in Existing Applications; What Should You Do?

Existing applications can be scanned for security vulnerabilities using a variety of industry-leading scanners. It's wise to scan your applications at least twice a year to find out if they have any exploitable weaknesses. Certain applications might be mission-critical and your management team may not let you uninstall them even if you discover that they have security vulnerabilities. However, there are things you can do to compensate for insecure code. First and foremost, you can check the vendor site, and the sites of third-party security vulnerability reporting centers, such as CERT to see if any security patches or fixes exist for the particular versions that you're running.

Another good strategy to securing your existing applications is to harden the operating system they run. Hardening the operating system refers to making configuration changes to the underlying operating that will render it more secure and less vulnerable to attack. One way to tighten up the underlying operating system is to secure the TCP/IP stack on which your applications run. By securing the TCP/IP stack, you increase the resiliency of your applications making them less prone to buffer overflow and denial of service attacks. For leading operating systems, you can secure the stack by applying advanced security configurations, or by installing a stack-tightening tool such as SecureStack made by SecureWave.

All operating systems can be hardened, and all of them should be if you want to optimize security. Hardening the operating system can decrease the ability that hackers have to take advantage of vulnerabilities in the applications that exist on top of the operating system. For example if you do not make sure that programs use secure file permissions and ownership credentials, it may be possible for hackers to exploit setuid or setgid files to gain unauthorized access.

Products That Scan Applications and Operating Systems for Vulnerabilities
Vendor Name	Product Name	Vendor Web Site
eEye	Retina	http://www.eeye.com
ISS	Internet Scanner	http://www.iss.net
Foundstone	FS1000	http://www.foundstone.com
Sanctum, Inc.	AppScan	http://www.sanctuminc.com
SpiDynamics	WebInspect	http://www.spidynamics.com
Qualys	QualysGuard	http://www.qualys.com

Security Policies for Writing Code

Establishing and enforcing security policies for coding and scripting practices may not seem worth the time at first, however, the bigger your organization is the more important it is to do this. By establishing policies for secure coding practices, it establishes awareness about secure coding and indicates that your organization cares that any in-house, custom-developed applications are secure. You cannot enforce policies that don't exist, so establishing policies gives you recourse to take disciplinary action against developers or development managers that refuse to adhere to the established policies.

Some application developers, particularly the ones with less experience, simply don't understand that security is something they should care about. By establishing specific policies that are particular to secure coding practices, novice developers become familiar with security principles before developing potentially insecure applications. Of course one the policies are establish developers need to be made aware of them.

Security policies for secure coding and scripting could include policies such as the following:

• Trusted programs or scripts should not invoke untrusted programs or scripts.

• Do not use filenames when checking ownership and permissions within a script or program. Use filehandles instead.

• When using input variables, arrays, and arguments, bounds checking should be established to prevent buffer overflows.

• Sub-routines and sub-scripts should not inherit environment variables from other scripts or files.

• All user-provided input should be checked for malicious code.

• When scripting in Perl, taint mode should be turned on to prevent users from directly invoking system calls.

• In Perl scripts when reading and writing to files, use advisory locks such as flock so that one routine or process does not corrupt the data of others.

• All temporary files created by a program should be deleted when the temporary files are no longer needed.

These policies are just a start. There are many more policies that can be added to improve the security awareness and coding practices of your organization. Typically the organization that is responsible for securing network operations writes the security policies, but if your company is small, and you don't have a security team per se, a security savvy system administrator or software engineer can also write secure coding policies.

A Word to the Wise

As security awareness continues to grow, writing applications that are secure is becoming even more important. With a little diligence and awareness, any software engineer or developer can enhance their coding abilities (and career path) by learning basic, secure coding principles. After applications are developed, they should be tested and scanned for vulnerabilities before they are put on production servers. Some consulting firms specialize in doing code reviews, which may be well worth it if the application is going to be deployed at numerous sites on large enterprise networks.

For Further Information

For more information on secure coding principles and vulnerabilities in operating systems and applications, the following resources are well worth reading:

Smashing the Stack for Fun and Profit
By Aleph1
https://www.phrack.com/phrack/49/P49-14

Hardening the TCP/IP Stack to SYN Attacks
By Mariusz Burdach
http://www.securityfocus.com/infocus/1729

Ostia: A Delegating Architecture for Secure System Call Interposition
By Tal Garfinkel, Ben Pfaff, and Mendel Rosenblum
http://www.stanford.edu/~talg/papers/NDSS04/ostia-ndss04.pdf

Developing Secure Applications with Visual Basic
By Davis Chapman
ISBN: 0-672-31836-9

Secure Coding: Principles and Practices
By Mark Graff & Kenneth Van Wyck
ISBN: 0-7356-1588-8

Writing Secure Code
By Michael Howard & David LeBlanc
ISBN: 0-7356-1588-8