Secure software? Experts say it's no longer a pipedream

With the Conficker worm still hot and Microsoft patching multiple software vulnerabilities last week, it might be reasonable to assume the bad guys are winning the battle to get control over Internet-connected computers.

That's not necessarily the case. Developers are increasingly equipped with tools to shore up their products and vendors are collaborating in unprecedented ways to not only close holes in software, but also make sure they aren't in there in the first place, according to security experts.

"I think the industry as a whole is definitely getting better, but the spread between the best and the worst is widening," said Dan Geer, a risk management specialist and chief information security officer for In-Q-Tel, a nonprofit venture capital firm that invests in security technology.

"Conficker did far less damage in 2009 than it would have done in 2003," said Dan Kaminsky, director of penetration testing at IOActive. "Windows used to be a lot easier to blow up."

But on the eve of RSA, the world's largest security conference, which starts on Monday, experts say the hunt is on for the elusive Holy Grail of computer security-vulnerability-free software.

At RSA shows in years past, Microsoft was roundly criticized for releasing software full of security holes. In 2002, the company launched its Trustworthy Computing initiative, vowing to make security a top priority. Seven years later, the move is bearing fruit. The company reports that there are far fewer security holes in newer versions of its products and weaknesses in its operating system overall have dropped. Web applications have become the security bad boys of software.

In the second half of 2008, the proportion of Microsoft vulnerabilities on Vista-based machines accounted for just 5.5 percent of the total, Microsoft says. Machines running Vista were found to have 60 percent fewer infections than those running Windows XP, the company said in a recent report.

Microsoft went from being the vendor responsible for the greatest proportion of vulnerabilities to being third, with 2.5 percent share, according to research last year from IBM's X-Force. The lion's share of the vulnerabilities come from start-ups racing to be the next Facebook, and 70 percent of them are doing the security testing and review after they release the product, Microsoft says.

"Security is an inherently hard problem. It's difficult to get to perfection for any company," said Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group. "What we are seeing is the percentage of vulnerabilities coming out of major software organizations is dropping as a percentage of the total of vulnerabilities reported."

Better tools, fewer mistakes
The company has turned its Security Development Lifecycle (SDL) process into a pseudo-religion for other companies to follow. Last year, Microsoft began offering free SDL tools so outside developers can assess their practices and analyze their software designs to look for security weaknesses.

The tools for writing secure code are getting better, so developers are less likely to make mistakes, said Johannes Ullrich, chief security researcher at the SANS Institute security organization.

Microsoft isn't alone in providing help to the developer community. HP is offering a free tool that helps find holes in Flash applications, and last week announced tools that nonsecurity professionals can use to do security testing. IBM sells a tool for Flash and Ajax developers, and last week the CERT Coordination Center at Carnegie Mellon released an open-source tool for testing ActiveX code.

In particular, Microsoft's recent release of an open-source tool called "!exploitable Crash Analyzer," which simplifies the process of identifying exploitable vulnerabilities during application development, is a "game changer," said Kaminsky.

"I don't think it's ever been quite so easy for non-security developers to recognize when they have vulnerabilities, when they have a flaw that could be used by a bad guy," he said.

Despite the recession, the software security market is growing significantly, accounting for more than $450 million in revenue in the U.S., Gary McGraw, chief technology officer at software security consulting firm Cigital, wrote in an article last week.

The challenge for developers
McGraw recently got a peek at the secure development processes at Microsoft, Google, Adobe, Wells Fargo, The Depository Trust & Clearing Corp., and four other leading companies, and released a report card of sorts (although grades are confidential) that other companies can use to gauge their level of progress. The Building Security in Maturity Model is "an objective yardstick" for development of products that are secure, McGraw said.

"In my view, software security is getting more and more important every single day," he said. "The good news is we are actually making some progress." The tools are out there, but the problem is developers often aren't trained, experts said.

A Forrester survey commissioned by Veracode and released last week found that only 34 percent of companies have a comprehensive software development lifecycle process that integrates application security and 57 percent of organizations don't have systematic application security training programs for developers.

Ullrich advocates a concept he called "software security street fighting"--where developers avoid complex techniques in which holes are more easily created.

"Developers, to some extent, can't really win," Ullrich said. "They have to be right every single time, while an attacker only has to be right once." Meanwhile, companies are increasingly cooperating to fight off threats, such as Conficker and attacks on a major flaw in the Domain Name System (DNS) that threatened to create chaos on the Internet. Microsoft, IBM, Intel, Cisco, and Juniper Networks also have formed the Industry Consortium for the Advancement of Security on the Internet.

"In my mind a massive theme going on is that security is now larger than any individual company. It's larger than Microsoft, it's larger than the U.S. government," said Kaminsky, who first discovered the DNS hole. "This is something we're all going to need to work together on and have been to great effect."

[poster48150]

As long as achieving security requires the end-user to *do* anything such as install patches, or *not do* anything like write his/her password on a sticky note, the pipe dream will continue.

[Lerianis3]

Unfortunately, I have to agree. The fact is that software will NEVER be totally vulnerability free in my lifetime or my 4th great grandchildren's lifetime! Code has become so large and complex that figuring out ALL the way that someone could attack your code-base is never going to happen.

[Michichael]

"....patching multiple more software vulnerabilities last week..."

Multiple more? Might want to fix that, Elinor! :)

Otherwise, I agree. There's only so much a developer can do - it's a matter of striking the balance between "good enough" code and time spent.

[elinormills]

Fixed. thanks!

[sargess25]

"Secure software?" as long as it doesn't run on a Windows OS platform, it's not a pipedream

[rapier1]

Ummm... no. Unless you think apache vulnerabilities and php exploits are a myth.

[Lerianis3]

Why do people ALWAYS take this as a means to 'bash' Windows software? The fact is that Linux and OSX most likely have vulnerabilities.... the difference is that there are not TONS of people looking for those vulnerabilities so they can exploit them!

[gertruded]

sasrgess25 you are exactly right. MS needs to start over. It amazes me that people still use Windows online after all these years.

[tm_anon]

@Lerianis3

Actually, Linux does have tons of people looking for vulnerabilities. Those people are also the ones using Linux so they won't be exploiting the code, they'll be trying to fix the code or at least reporting it to someone else who has the skills to fix it for them.

As for 'bashing' Windows software, there's not really a need to. In order to keep my Windows machine clean and secure, I was running a daily scan for malware, a monthly scan by a more thorough antivirus program and ensuring to clear my cache completely when finished surfing, including all cookies. In order to keep my Linux machine clean and secure, I just run the updates with the occasional virus scan to protect my Windows using friends.

No bashing required.

By the way, when a friend of mine recently wanted to switch to a Mac, I had her make up a pros and cons list between a Windows machine and a Mac, her only cons for Mac were the pieces of FUD being tossed around. Her cons for Windows were all from experience. Now tell me, who's 'bashing' who again?

[Mike Acker]

The hardware needed to secure an x86 system has been available since 80386. The 80386 and better provide RING0 for the kernel and operati9ng software and RING3 for user programming

Properly implemented a user program, such as your browser, word, excel, adobe etc cannot harm your system: it does not have permission to do anythhig it must request all I/O and memory access from the supervisor

once access to the I/O system has been restricted to the supervisor and storage protect keys provided for memory the essentials are present

Microsoft didn't get serious about security until XP/SP2 and with that, they have started to make progress

the goal of course is that NOBODY and I do mean NOBODY updates any programming on your computer without your knowlege and consent

the foundation is there. but what of the detrmination

[Lerianis3]

Actually, some things HAVE to be updated 'without your knowledge and consent'. The fact is that is not the real problem with security today. The problem is that some idiots download things from 'grey-ware' or 'black-ware' websites and do not take proper precautions (like virus scanning installation packages) before installing something or running something.

UAC pretty much prevents someone from running something on your machine WITHOUT your permission. The problem is that some people just click through UAC prompts like idiot who should be slapped thousands of times without reading the information on the UAC alerts.

[Mike Acker]

Software Inventory

most of us sit at our screen hammering away -- and we ain't go a clue what we got for software under the keys

because we don't have the ability to inventory our systems

this is a defect which can be fixed without really all that much trouble.

what is needed is a bootable CD or flash stick with a software inventory and master program

you would just put it in your machine and boot up, kick back and watch while the Master Program checks the software inventory on your computer -- using a digital signature for every program.

it is necessary to do this from a stand-alone running program so that root kits will be unable to hide the programming changes they have made by giving falsified responses to systems utilities such as directory list

think about this: if your system is properly secured so that user programs like your browser, Word, Excel, Power Point etc all run in RING3 -- these programs can't do anything bad anyway: there would be no need to inventory anything other than the actual operating system.

[Lerianis3]

Actually, Windows XP, Vista and Windows 7 have that in them. It's a little known command that checks the listing of the files on your program to make sure that they are actuallly Microsoft versions and if they aren't.... it restores the original Microsoft file unless you tell it not to (by having do a 'check-only' scan).

I've used that tool NUMEROUS times to fix problems with Windows Defender on my machine when I have been stupid and deleted a file that messed it up.

[Mike Acker]

A Comprehensive plan for Windows Security: Slam the Windows and Lock the door

1 Single logon: we have all wanted Single Logon for a long time. By making the Desk-top ICON into an executable we can achieve Single Logon and take the First Step on the Road to Secuirity. What should happen when you click an ICON is the ICON should be executable. First it would log you on using a "run as" function with an extended user ID. For example when I launch FireFox the ICON would long me on as MIKE.FIREFOX and of course FIREFOX would run in RING3 as a user problem state program. All programs launched under that original thread would continue to use this restricted logon. This consists of slamming the windows.

2 require all executable programs to be registered and authenticated. restrict the registration process to the setup process only so that there is only one doorway through which programs or program updates can be applied to the system. this consists of locking the door

3 provide for Software Inventory as described earlier. always a good idea to check things.

personal opinion:
as long as w/men in charge, don't even dream about it!!!!

[grecs]

This article brings up a lot of good points however I don't think it will ever be possible to create totally secure software. Even with proper processes and training, the people that run these are human. And we all make mistakes, especially under the time and pressure constraints many vendors put on their people just to get the product or features out the door. We'll definitely lower our risk profile but it is impossible to create software that can't be hacked.

[Mac OS XP]

Conficker didn't do so much damage (yet) because it wasn't coded to. It spread (is spreading) to a massive number of computer. Microsoft and internet security companies are not to be praised for any lack of damage.

[eiverson]

We're making progress on treating cancer too. But people die from it every day. It'll take years for information security practices for software development to give us peace of mind. Meanwhile, we cannot trust the software that runs on our computers.

http://www.securitynowblog.com/endpoint_security/computer-software-hijacked-malware-attack-steal

Everyone needs something like AppGuard, GesWall, DefenseWall, or other security software products to supplement our anti-virus/spyware defenses.