Software Development Standards Need To Be Addressed – Part 2

By Guest Blogger, Chris Bonatti, Consultant, IECA – Casper, Wyoming

Forward by CyberWyoming: According to Girish Seshagiri, Member of the Governing Board of the Consortium for Information & Software Quality, best in class coding is less than 600 defects per million lines of code.  Yet, the average code has 6000 defects per million lines of code.  He also said that 84% of vulnerabilities are in the software application layer and that, as a nation, we are spending 23 times more on defending after the attack rather than programming the code right in the first place.  He estimates that US tax payers are paying between $25 & $50 billion per year just for the government to fix software errors and only 20% of the government’s IT budget is going to new development.  Some estimate that shoddy programming makes a $2 trillion world economic impact. Mr. Seshagiri believes that threat prevention via good coding is the solution.

The More Things Change…

Inadvertent software errors happen for a lot of reasons, some technical, but some are just embedded in the culture of how the industry develops code. Looking at how MITRE Corp’s Common Weakness Enumeration (CWE) list (see ‘https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html’) has changed over time, it’s clear that a lot of flaws devolve from buffer overflows and other memory management fails. Such things are common with legacy programming languages, such as C, but nearly impossible with modern languages, such as Rust, Go, or even Python. Yet the kernels of both of the major desktop operating systems (Windows and Linux) are written and maintained in good old C. Likewise, a 2020 study by Google demonstrated that more than 70% of severe security bugs in Chrome (written in C++ and Javascript) are memory safety problems. To be fair, Google and others have promoted the idea of developing new code for the Linux kernel in Rust, but at best this pertains to new code. Nobody is talking about replacing all that existing C code. Why? Because, like Windows, the code works “well enough” to meet the business objectives. Yeah, they might find 100 or so exploitable bugs each month, but they patch them right? So who cares.

A similar situation exists for web commerce, where modules based on the PHP server side scripting language dominate an estimated 78.8% of the market. Many security experts have described PHP in terms ranging from “dangerous” to “fatally flawed”. Wonder why WordPress has had so many emergency push patches? It’s written in PHP. So are XenForo, Magento, Drupal, Joomla, Opencart, and dozens of other popular packages. The modern web is wholly built atop a fatally flawed scripting language.

Another factor is that the software industry has preached “code reuse” for decades as a way to speed development and reduce cost, but this represents another big problem from a security perspective. Programmers often invoke libraries without really knowing anything about their internal details… and the details matter to security. Sometimes libraries bring with them vast, unscrutinized attack surfaces for the sake of using a single function. Who knows what vulnerabilities may lurk? Some libraries are poorly maintained, or seldom updated by the projects that use them. Furthermore, libraries represent a supply chain risk, which is often poorly evaluated. Today, the risk of a black hat hacker introducing malware to one of your library dependencies is very real.

Check back in for the final part on software development.

Share:

Register to Receive the Tech Joke of the Week!

This Week's Joke:

How many programmers does it take to change a light bulb?

None, it is a hardware problem!

More Posts: