Computer Weekly has a topic-classification field labelled ‘application security and coding requirements’ and it’s there for a reason. All too often we talk about security in terms of what chief InfoSecurity officers (CISOs) need to think about as we attempt to examine which piece of malware, ransomware or Trojan is about to surface. But what do software developers need to remember, in the first instance, in terms of application security and coding requirements?
Application security & coding
How do we make sure security is ‘baked in’ at the architectural level? What kind of programmer needs to be tasked with security responsibility? What about presentation layer programmers who only look at the top end? Do they need to worry about the back end? Do developers need one (football/soccer) goalkeeper to look after security… or should they act more like a rugby team and all assume responsibility (relatively speaking) for defence?
NOTE: Computer Weekly readers should focus on security editor Warwick Ashford for the most regular insight into the InfoSec space.
Strolling (Ed — you mean gasping, right?) around the InfoSecurity Europe show from 7-9 June in London, the CWDN blog attempted to quiz a few exhibitors on coding for security. The spokespeople often falter at first.
“What, you mean you don’t want me to tell your about our unique approach to security vulnerabilities?…” they ask.
Trend Micro’s Ferguson, the rock god of cybersecurity
VP of security and all-round rock god of cybersecurity at Trend Micro Rik Ferguson was less flaky by a country mile. Ferguson contends that big trends this year see ransomware spreading its wings and now targeting the enterprise.
“Also, we’re seeing a lot of code re-use in terms of malware becoming available to more hackers, in an almost open source sense. I mean, Zeus was initially closed and only available to a few… then it became a more open code base,” he said.
Asked what his main thoughts were on current trends, Ferguson said the main thing with IoT security is the connection point and the APIs… and the need to lock that part of the data journey down.
“It’s not about IoT device security and locking down the devices themselves, that battle has already been lost. For my money I would say that APIs are the attack surface of the future,” said Ferguson.
Bromium: killing the urge for malware
CEO of Bromium Ian Pratt used his appearance at the show to explain that his firm’s technology creates a Virtual Machine (VM) for each application task. In this way, each data job can be kept safely contained away from vulnerabilities.
“Bromium technology stands outside the VM recording with a black box to see what is happening. If an attack happens it allows us to record the full kill chain of events and see how the malware is perpetrating itself and what vulnerability it is attempting to exploit,” said Pratt.
We could call Bromium’s technology micro-virtualisation. It means that each application runs on the principle of least privilege i.e. the app is only given what it needs in order to be able to run.
Sandboxing clever at Lastline
Senior security researcher Marco Cova at Lastline explains his firm’s approach, which seems to continue the theme for separation here. His firm’s tech works by running a sandbox with malicious code and emulates at the CPU level to examine vulnerabilities.
“But malware is often built with enough intelligence to be able to know whether it is running on a real user’s machine or whether it has been channelled into testing zone. The malware will make system calls to open a file… say the malware is inside a Word macro, it will check for recently opened files and if there are only three docs (let’s say) then it would be more likely to be on a test sandbox,” explained Cova.
Malware is even able to check on the serial number of a Windows installation to see if it’s running on a Virtual Machine — there’s a lot of coding intelligence that goes into fighting cybercrime.
Shift from prevention to detection
Strategic director at MWR InfoSecurity Peter Cohen reflected a trend voiced by several InfoSec 2016 presenters when he explained that there is a general shift from prevention to detection.
“Gartner calls this Managed Detection Response (MDR) and it explains much of how the information security industry is developing right now,” said Cohen.
MWR InfoSecurity provides specialist advice and solutions in all areas of security, from professional and managed services, through to developing commercial and open source security tools.
Amit Ashbel from CheckMarx agrees.
In his capacity as director of product marketing & cyber security evangelism, Ashbel wrote recently, “Your source code – along with secure application code practices – is your edge over hackers. A couple of months back, part of the Checkmarx team, myself included, attended a security conference in India where we presented our solutions and provided demos for attendees who wanted to see how the solution enables detecting and mitigating vulnerabilities in code.”
Ashbel argues that we now need to align quality testing (in terms of software functionality) with security testing.
The new developer mantra shouldn’t be: write code — fix bugs — write code… it should be write code — fix bugs (functionality & security) — write code and repeat and so on. A more secure world of software awaits… definitely maybe.