Security

Security flaws and Agile boom top software quality news in 2008

Security vulnerabilities and the boom in Agile development adoption topped the SearchSoftwareQuality.com news charts in 2008. Here’s a rundown of the five most-read news articles and their significance.

Three of the top five articles focus on Agile development. In the #1 story, Predicting software quality trends for 2008, software quality experts predicted that Agile adoption will increase. Two other articles in the top five were about Agile. In fact about one-third of the top 20 news stories were about Agile.

Agile development: Not just for ‘agilists’ anymore (#4) discussed Agile’s move outside of its early adopter niche and the impact of its wider usage. Next came Software development groups take many routes to Agile (#5) which revealed results of SearchSoftwareQuality.com’s 2008 Agile Trends Survey. Most Agile technique users, according to that survey, use Scrum (41%). Next in popularity was Extreme Programming (XP) at 15%. Others use hybrid Agile methodologies, while about three percent use Crystal and Dynamic Systems Development Method (DSMD) each.

The SSQ 2008 Agile Trends Survey showed that 45% of software pros follow Agile methodologies, while 44% use waterfall. Other development methodologies cited were test-driven development (19%) and RUP (15%).

Security flaws in leading open source software platforms drew a lot of attention, and articles on security issues in the Spring Framework and open source Java projects ranked in second and third place, respectively.

While open source development projects typically fix flaws quickly, as happened in these cases, the emergence of serious vulnerabilities may have taken some IT pros by surprise. People expect problems with Microsoft products, but not with open source products, said Kevin Beaver, CISSP and Principle Logic LLC consultant, commenting on the fact that these two stories got so many clicks.

“We’re seeing more and more that open source has its own security woes,” Beaver said.

Don’t blame the open source community and its developers, Beaver advised.

“The fact is that as long as human beings are developing applications on the complex and extensible OS (operating system) architectures we have, there will be security problems.”

Most importantly, he said, the emergence of vulnerabilities should not scare anyone away from using open source software like open source Java or the Spring Application Framework.

It is important to point out that just because a static analysis tool vendor finds flaws in open source code, that doesn’t mean the vulnerabilities can/will ever be exploited.

Keep using open source software, Beaver concluded, and “take this marketing tactic with a grain of salt.”

Now that you’ve checked out these stories, please let me know your choices for the top software quality news stories of 2008. You can write to me at  jstafford at techtarget.com.

Security boost for LAMP stack

LAMP, an open-source Web development platform based on Linux, Apache, MySQL, and PHP, is getting some added protection from attacks thanks to Metaforic.

Metaforic, a provider of anti-tamper solutions, announced that upon request it will provide free versions of secured Apache and MySQL to enterprises. Utilizing a lightweight version of MetaFortress, Metaforic will provide anti-tamper protection and continuous integrity checking for critical parts of the LAMP stack to help defend against multi-vector attacks designed to discover and exploit the weakest point of an organization’s server infrastructure.

The move is important because as more enterprises deploy open-source technology, cybercriminals will target the security vulnerabilities within that infrastructure. And those criminals are looking for any weak spot, whether it’s the operating system, Web server, database system, or the application layer.

MetaFortress Open is specifically targeted at network infrastructure applications. Like the flagship MetaFortress, Open is an anti-tamper solution that inserts security and integrity checks into an application’s source code to prevent against hacking and unauthorized usage.

Protecting data in software testing environments

When you think about application or software security, you usually think about the bad guys outside your company trying to get in. But just as often, if not more, the danger comes from within with employees accessing personal data.

The issue of protecting data comes up when testing applications. Testers need production-like data to ensure applications work correctly, but you don’t want to give them live data. To help with that, companies are employing data masking technologies.

DataGuise is one company that provides a data masking tool. This week the company announced the industry’s first masking in place (MIP) solution for multi-database environments, the DataGuise dgSolution suite. Company officials say the suite solves two of the biggest concerns for building non-production test environments: time-to-deployment and production data leakage.

The suite includes dgDiscover, which helps locate sensitive data across various databases, and dgMasker, which masks the data in non-production environments.

dgMasker comes with 15 masking options out of the box, including options for Social Security numbers, credit card numbers, addresses, etc. And because it runs across multiple databases, if you make a change on one database it will also be changed on the others. You get consistent test data.

Erik Jarlstrom, vice president of customer advocacy at DataGuise, said they tried to make it a high-performance suite. “We really tried to make it as fast as possible so you aren’t releasing unmasked data to development,” he said.

What are the top software tools of 2008?

As the year starts to wind down, we at SearchSoftwareQuality.com are looking back at what took place during 2008. One thing that we’re focusing on is the tools and solutions that were released. In an effort to help our readers understand what tools are available to help them, we are creating a guide to tools released in 2008 to be published in January.

In order for us to do that, we need your help identifying tools that were released. The tool categories we’re focusing on:

• Software testing
• Test management
• Code quality
• Application security
• Software requirements
• Agile development
• Project management
• Application lifecycle management
• Application performance monitoring & management

Please send us information about tools released between Jan. 1, 2008, and Oct. 31, 2008, that you’d like us to consider for the guide. The tools must be new products or significant upgrades. And you must include the following information:

• Product name and version/model number
• Company name
• URL for the product
• Product or company logo
• Date product was released
• Tool category (see above)
• Product description
• If it’s an upgrade, features that were added
• What makes it innovative?
• Details about how it performs
• Details about its ease of use and manageability
• Pricing

Send your product submissions to Editor@SearchSoftwareQuality.com by Friday, Dec. 12.

Lowered cost for security testing suite

In response to economic issues and as a way to encourage more companies to test applications for security, Ounce Labs has reduced the cost of its Static Application Security Testing suite.

The shift in the pricing and licensing models will lower costs and complexity for Ounce 6 customers, the company said.

In a prepared statement Ounce CEO Gary Jackson said:

We intend to accelerate enterprise adoption and make source code analysis more accessible for every company concerned with application security, from the smallest shops to the largest enterprises. The new pricing schedule will speed time to value and ensure that every organization can afford, deploy, and capitalize on source code scanning to protect their critical data.

The fee for the defined organization will allow unlimited users or seats, and unlimited product installations. Third party contractors working for the organization will also have access to the products, at no additional fee.

“Site” is a single legal organization where all users are within a 3 mile radius. An organization with fewer than 200 employees, and operating revenue of $50 million or less is a Level A Site. This may be an independent company or the department of a larger company.

“Business Unit” is a geographically dispersed, single legal organization. An organization with operating revenue of $500 Million or less is a Level C Business Unit.

More from the e-voting front

Two more stories about e-voting machines were reported this week. The first is about a report from Princeton University that says an e-voting machine in New Jersey can be hacked in seven minutes.

In its report, the university says it is possible to hack the Sequoia AVC Advantage 9.00H DRE (direct-recording electronic) voting machine by loading fraudulent firmware.

Sequoia has responded to the Princeton study with a report of its own, rebutting many of the claims in the Princeton report.

Princeton’s report, which was conducted during the summer as part of a lawsuit in New Jersey, was allowed to be released just a couple weeks ago. The lateness of the report — and the examination of the e-voting systems — is because of the time it has taken a 2004 lawsuit against the state for using DRE machines to progress.

In 2004 a group of public-interest plaintiffs sued the State of New Jersey over the State’s use of DRE voting machines. The plaintiffs argued that the use of DRE voting machines is illegal and unconstitutional.

The case was dismissed in January 2005 by a trial court, but then appealed. While the appeal was pending, the state legislature passed — and the governor signed — a bill requiring that no later than January 1, 2008, any voting system in New Jersey must produce a voter-verified paper ballot.

In 2006 the Appellate Court reinstated the lawsuit and instructed the trial judge to monitor the progress of State election officials in meeting the legislature’s deadline. In 2008 the executive branch twice requested delays to the deadline and the legislature obliged.

Based on concern that the state would not meet the deadline, the lawsuit was allowed to continue and the judge ordered that the state provide to the plaintiffs’ expert witnesses the voting machines complete with their source code. The witnesses, who are authors of the Princeton report, examined the voting machines and their source code during July and August 2008 and delivered their report to the court on Sept. 2. A court order permitted them to make their findings available to the public 30 days later.

So, the state of New Jersey had four years to improve its e-voting systems and prevent a lawsuit, yet it did not. And now voters in that state once again are using machines that can be tampered with and don’t produce paper ballots — and once again face the possibility that their votes may not count.

E-voting problems in Finland
The other story being reported is that usability problems in Finland’s pilot e-voting system caused 2% of votes cast to be lost.

With that system, voters were required to insert a smart card to identify the voter, type their selected candidate number, press “OK”, check the candidate details on the screen and then press “OK” again. Some voters did not press “OK” a second time and instead removed their smart card prematurely, causing their ballots not to be cast.

Security review of Florida voting system

Since writing about the Florida voting experience, it was brought to my attention how the state of Florida commissioned an independent expert review of the remote voting software that is being used in Okaloosa County. A team from the Florida State University’s (FSU) Security and Assurance in Information Technology (SAIT) Laboratory reviewed the Pnyx.core ODBP 1.0 remote voting software developed by Scytl.

The software is for use in the Okaloosa Distance Balloting Pilot (ODBP), which will test remote e-voting for about 1,000 overseas voters whose permanent residence is in Okaloosa County. It replaces other absentee voting mechanisms for participating overseas voters.

Under this pilot, voters will enter their votes electronically, those votes will be transmitted over the Internet, and the votes will be tabulated electronically.

The state of Florida, which certified this system at the end of September, always certifies its voting technology and processes. And in the past an independent review was done of the then-named Diebold systems. What makes this review stand out is the vendor’s willingness to cooperate and provide a full build environment for the source code.

“Scytl provided VMWare virtual machine images containing a full build environment, scripts to drive the build process, and step-by-step documentation describing how to initiate the build process,” according to the team’s report.

Doing that saved the team “significant” time and made it possible to apply static analysis tools to the software. The team used reports from two static analysis tools:

• Fortify SCA, which Fortify donated, was used by the team.

• Klocwork Insight was used by the Florida Division of Elections.

Additionally, the team participated with the vendor in an online question-and-answer exchange that “proved invaluable to the study.”

The team’s final report was mixed; it reported some good things, but it also found some bad things. In general, it passed review and was certified by the state.

But the important thing to take from this was the process and the cooperation of the vendor. This is hopefully the start of how things are done for the 2012 election.

“There are very few developers engaging with vendors such as [Klocwork] or state-sponsored programs to make their code usable in four years time or eight years time,” said Gwyn Fisher, Klocwork’s CTO.

Brendan Harrison, director of marketing at Klocwork, said it’s hoped that this review is used as a model going forward.

“The e-voting marketplace burst on the scene, and what we see happening is that the e-voting vendors are going to have to change how they develop software and work more cooperatively with the authorities,” he said.

The e-voting market needs to transition to one that is regulated in order to enforce good standards, a high-quality process, and a secure development lifecycle.

Web application security more important than ever

Discussing Web security with even the nicest security professionals can leave one feeling chilled to the bone. It’s not the fault of the security people — it’s just chilling to be reminded how vulnerable the Web really is.

Jeremiah Grossman

Recently, I spoke with Jeremiah Grossman of WhiteHat Security — a very nice guy with very bad news. Most of you have probably heard of the clickjacking threat by now. The vulnerability allows attackers to place an invisible “button” of sorts on Web pages. When placed over a legitimate button on a Web page, users can click as they normally do and have no idea that they’ve been attacked.

Grossman and Robert “RSnake” Hansen were scheduled to deliver a speech on the vulnerability at the OWASP (Open Web Application Security Project) application security conference in New York a couple of weeks ago. Ultimately, the two decided to postpone the details of their findings so that Adobe, which has applications vulnerable to the attack, could have time to secure their applications. “Theoretically, it’s not their bug,” said Grossman, but he respected Adobe’s wishes anyway.

Offsetting this disturbing news are positive developments in application security. The popularity of the OWASP conference itself, said Grossman, is an indication that things are moving in the right direction.

“Developers no longer see application security as ‘calling their baby ugly,’” he said. Three years ago, developers wouldn’t have been flocking to an OWASP conference, Grossman added. “[Developers] want to develop secure code; they just want to be shown how.”

And with all of these vulnerabilities plaguing the Web, application security has never been a hotter field to enter. The best security professionals often hail from the developer community, he explained. “They provide better insight into the business,” Grossman said.

“Not all of the problems have been described, not all of them have been solved,” he said. “Jump in now,” advised Grossman.

Web app security mythbusters

There are many misconceptions and myths about application security, and Cenzic is looking to debunk them in its new mythbuster podcast series.

In its first podcast, Cenzic, a provider of Web application security solutions, talks with Jason Lam, a SANS instructor, about topics such as the ability of network tools to address application security, when security testing should be done and who should do it, and how far PCI compliance goes toward security apps.

Those who have been doing application security will be familiar with the topics. The first podcast, in particular, does not reveal anything new. But still there are many who don’t know what needs to be done to ensure an application’s security — or who don’t understand the importance of those practices — and these podcasts are for them.

Software security is everyone’s problem

Good news about Web security is much rarer than it should be. There was some encouraging news recently, however. A report from WhiteHat Security found that over the course of a year, 66% of known vulnerabilities were corrected. When one considers how terrifying security reports usually are, happy surprises such as these are to be celebrated.

But before you break out the champagne, it might be prudent to read about the report’s other, terrifying findings. Spoiler alert: CSRF attacks are primed and ready for massive destruction. As you can see, application security is a moving target. Once you’ve protected against one threat, attackers come at you using a different weapon.

Sadly, a small percentage of software professionals realize how important requirements gathering is for security. Business analysts can educate themselves with Kevin Beaver’s tip on writing software requirements that address security issues and Rob Apmann’s Q&A on how to address security during requirements gathering. And project managers should check out a free chapter from Software Security Engineering: A Guide for Project Managers. Requirements Engineering for Secure Software offers a gentle introduction to the subject.

We receive many questions from readers about requirements gathering for applications that need protection built into them. A site that processes credit cards or any other kind of sensitive information must be created with security as a major priority. Rob Apmann recently advised how to gather requirements for a payroll application. The first thing to do, he said, is to gather non-functional requirements such as the scale of the system and whether it is Web-based “so that you start with an architecture that will be secure and meet your deployment needs.”

Like industry experts have been saying for years, security needs to be addressed at every part of the development life cycle — requirements, design and architecture, programming, testing, and QA.