Application security - For Everyone Who Doesn’t “WannaCry” Because of Insecure Coding Habits

A tiny mistake in the code? Just enough to ruin lives, to demolish companies’ reputations, to ground planes and hold fleets hostage in port. One little mistake in application security can result in devastation. Does it sound like we’re exaggerating? Unfortunately not (sometimes we wish we were, though).

Think about how elements of physical reality and cyberspace are so tightly intertwined by now that we can’t draw solid lines between the two. Is that a problem? No, it’s just a fact. Namely, we have a relatively new sphere of life that is basically different from what we’re used to. What does that mean? It means that we urgently need to detect and define appropriate responses to this new situation.

Application security should be the first line of protection in cybersecurity, implementing the whole SDLC, security development life cycle from secure coding training through proper development processes and quality assurance up to security update mechanisms. Secure cyber systems must be well prepared and ready to fend off hacker attacks. Is that hard to achieve? Hackers exploit vulnerabilities, software bugs that were implemented by programmers, who follow insecure programming habits. All that developers/software engineers need to do in order to produce secure code is to evolve secure coding habits. But isn’t habit-forming hard? With the right trainers, it doesn’t have to be.

But let’s step a bit closer to the problem. Here’s a riddle for you: National Health Service of Britain, Boeing Commercial Airplanes, FedEx, Honda, Renault, and Sberbank. What do they have in common?

Easy. They were all hit hard by WannaCry — the cyber nightmare that infected 230,000+ computers on high profile networks in more than 150 countries within 24 hours, reportedly originating from North Korea.

Pretty serious, yeah? But how could it happen?

“ONLY” ONE MISSING LETTER — Meant the Whole World for WannaCry

Yes, did you know that WannaCry exploited only one missing character! (For the whole story read The legacy code behind WannaCry — The skeleton in the closet.) The root cause of the vulnerability was a so-called integer-overflow, where a 32-bit long variable was truncated into a 16-bit long variable. This incorrect truncation could lead to a heap corruption, which could then enable an attacker to execute arbitrary code on the target device. The actual piece of code was part of the SMB protocol (file network access protocol) responsible for the conversion between the OS/2 and NT file formats. Sounds pretty old, yeah? The actual mistake has been hidden in Windows operating systems since the 1990s!

Here is the actual source code snippet:

int __stdcall SrvOs2FeaListSizeToNt(_DWORD *a1)
        {
        _WORD *v1; v1 = a1;
        unsigned int v3;
        // …
        *v1 = (_WORD)(v3 - v1);
        // …
        }

If you are an experienced programmer, you will probably spot the bug easily. The input parameter a1 is defined as a 32-bit long integer (_DWORD), while the local variable v1 is defined as a 16-bit long one (_WORD). So when a1 is moved to v1 in the second line (v1=a1) the upper 16 bits of a1 were truncated, resulting in a different value for a1 and v1. Later on, this difference can cause problems, when a smaller memory area is allocated on the heap than needed. So, the root cause of the problem was to use _WORD in the second line of the above code part, instead of using _DWORD. So, the difference was just a missing ‘D’.

This was the vulnerability part. What did WannaCry do as an exploitation? This one missing character enabled WannaCry to execute its own code and therefore take control over the target system, and this way it encrypted files on the hard drive, making them inaccessible for users, then demanded a bitcoin payment as ransom to make the files accessible again.

Security vulnerabilities are almost always caused by coding mistakes, or more precisely, insecure coding habits. As you are reading these lines, more than 20 million software engineers around the globe are writing vulnerable code. The number of exploitable security flaws that are “developed” on a daily basis is much more than the number that security professionals can test, detect and correct. The trend is clear. Our IT world is becoming more and more insecure, and vulnerable.

According to an article on Inc., in 2018, 59% of businesses folded within six months following a hacker intrusion or malware attack. Sit with that one for a second. And the problem is getting worse: in 2017, 61% of small businesses stated that cyber attacks are becoming more aggressive and sophisticated.

It is a worldwide trend today that we become more and more vulnerable. What should we do in order to turn this trend around and start to improve global security? We have to find the most effective way to do it! What can it be?

Defining application security vocabulary

The goal is clear: we need to develop more secure IT systems. The big question is HOW?

The way how we can do it is called application security. Before going into details, there are 4 essential terms to understand the common principles and differences between cybersecurity and application security.

THREAT

While the Oxford Dictionary defines cyber threat merely as a possibility (“the possibility of a malicious attempt to damage or disrupt a computer network or system”), in cybersecurity circles threat is more often identified with specific actors. SecureWorks’ lists the main threat actors as “nation-states or national governments, terrorists, industrial spies, organized crime groups, hacktivists and hackers, business competitors, and disgruntled insiders.”

The most common technical components of a cyber threat are “advanced persistent threats, phishing, trojans, botnets, ransomware, distributed denial of service, wiper attacks, intellectual property theft, theft of money, data manipulation, data destruction, spyware/malware, man in the middle (MITM), drive-by downloads, malvertising, rogue software, and unpatched software.”

What is important, threats and malicious actors are there. They are beyond technical means, they are with us as mankind for the beginning of ages. What changed though is that they are no longer limited in time and space, as the ability to abuse our globalized network multiplied their capabilities.

VULNERABILITIES

Actually, these cybersecurity threats are there because attackers are able to exploit vulnerabilities.

Vulnerabilities are programming bugs in operating systems or applications, that enable hackers to penetrate into a targeted system. Before you would think that there are a huge number of different types of vulnerabilities, you may be surprised that more than 90% of actual incidents are caused by not more than 10 typical problems.

According to OWASP TOP10, “the most common vulnerabilities are Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE), Broken Access Control, Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, and Insufficient Logging & Monitoring. ”

Would it be so simple? We just need to avoid these vulnerabilities?

In theory yes. In practice we could do it if all developers would know about these TOP 10 problems, they would be able to avoid them in the first place, which requires that they should change their coding habits and write such secure code that won’t contain these bugs. It is really not about that programmers would refuse to do so. The problem is that they lack the necessary secure coding education and they what kind of bugs hackers exploit, and therefore they do not know how to prevent them. So, in order to get programmers to write secure code, as a first step we have to teach them how to do that. That is called secure coding training.

EXPLOITS

Hackers use exploits to take advantage of vulnerabilities. For example, when hackers attacked the British Airways website to steal customer data, they used a small piece of code to inject their malicious script into the British Airways website. Exploits are the “grappling hooks” that hackers use to get over security barriers.

RISKS

Risk is the average damage threats are causing. Actually this is the price we have to pay for letting vulnerabilities exist and grow in numbers. As a mathematical formula, risk is based on a threat’s probability and the magnitude of its potential impact on the organization, and can be expressed as a formula: risk = threat probability x potential loss.

SUMMARY

To summarize, take the example of an outdated website. It has a text field that doesn’t sanitize input, which is a common vulnerability. A threat actor can figure out an exploit that will let them inject code into the server to steal certain types of information from visitors to the website — that’s the threat. The risk is calculated by taking a few different things into account, including how many vulnerabilities a website is likely to have and how valuable visitor information is.

To understand these terms better, see these examples provided by Acunetix.

DID YOU KNOW? #1
In the eighties, increased connectivity allowed for the development of viruses like Morris, which caused massive damage to the internet. In 1988, Robert Morris wanted to find out how extensive the internet actually was. So he created a worm that was able to copy itself. The process of replication was so intense, though, that it caused significant slowdown and severe damages. Robert Morris was the first person accused under the Computer Fraud and Abuse Act, a US law designed to punish computer crime. The incident also led to the founding of the Computer Emergency Response Team (CERT) network, a research hub for issues of cybersecurity.

The Diverse Consequences of a Single Cyber Attack

Cyber attacks can be especially painful due to the fact that one single incident can cause numerous severe consequences.

Direct financial burden

From replacing equipment to hiring data recovery experts, cyber-attacks always lead to extra expenses even if you don’t suffer from ransomware. Even the slightest breach can send your IT staff on a laborious search for the malicious code. This is usually much more costly than prevention would have been. Editor-in-chief of Cybersecurity Ventures anticipates that by 2021, cybercrime will cost the global economy no less than $6 trillion.

Loss of profit

If your website provides services to customers – anything from live chatting to online booking – you’re even more vulnerable since your customers will immediately be inconvenienced by any loss of service. This is what happened in the fall of 2016: major websites, like Amazon, Twitter, Netflix, and Spotify, were inaccessible for users for several hours, resulting in estimated losses in profit of up to $100,000 per minute.

Consumer Distrust

Hackers like stealing customer data from big providers with the intention to sell it. Obviously, nothing is more embarrassing than facing all of your clients when their data has been compromised. Yahoo fell victim to the largest data heist in history when the names, email addresses, dates of birth and telephone numbers of 500 million users were stolen. Who will be next?

Bad reputation

Defective cybersecurity also hurts your company’s reputation. You lose customers on the spot, and prospective clients might avoid you because your company is considered careless and unprofessional. The number of countries are growing where companies are legally forced to share security incidents and leaks of clients/customers data, where they are obliged to inform your users of their exposure and about what they can do to mitigate it. All of that carries a heavy price tag in reputation.

Damaged or deleted data

A flaw in your cybersecurity can lead to painful loss or compromises of crucial information. If your sales records are missing, years of work of contact-building can be compromised. With modern backup systems, it’s rare that essential data is truly irretrievable, but it still happens. Nowadays, extremely fast viruses can infect and destroy an entire backup server system in minutes – just look at what NotPetya did to Maersk.

Responsibility — Who Can Do What?

As a response to increased cybersecurity threats you are planning to hire more security professionals? I have a very bad news for you. By 2021, the business world is predicted to have a frightening shortage of 3.5 million properly trained cybersecurity professionals. Simply there will be no resources to look after vulnerabilities, and to close all the holes, all the windows and all the doors that application developers left open.

No question. The only possibility to overcome this shortage of available manpower is to train your existing staff.

Education of a good cybersecurity professional takes years, while on the other hand it takes only 3 to 5 days of hands on training to teach the basics of secure coding for developers. As discussed earlier, only if the TOP 10 vulnerabilities could be avoided it can dramatically improve the level of application security. If you do the math, with no doubt the secure coding training is far the most effective and least expensive way to improve security.

The challenge here that this approach works only if ALL SOFTWARE ENGINEER receives the necessary training and made MOTIVATED to really apply this knowledge in their everyday practice, which means that they have to change their coding habits.

Before you may question. Secure coding practices, if executed as habits, will not cause any overheads compared to insecure programming habits, but contrary will result in less bugs, less corrections and less security updates.

Do we really need to train each and every developer?

Yes. Just think it over. You are writing secure code, but your colleagues are still committing security relevant mistakes unknowingly, just by following their insecure programming habits. All your efforts are useless as the developed application will still have common vulnerabilities that hackers will easily find.

Secure coding training is an all-or-nothing game.

Naturally, in practice it is hard to convince the upper management to mandate 3 to 5 days of training for all software engineers as it would mean around 2% cost of all development expenditure. Usually company-wide secure coding education is introduced in a step-by-step approach.

Pilot training for some selected groups of programmers, who are developing the most security sensitive applications within a company.
Nomination of at least 1 out of 10 to 20 of the software engineers as “security champions”. They duty will be to help their colleagues in writing secure applications.
As a third step, your security champions will beg you to extend the secure coding training to everyone as they cannot cope with the duties they have.

HR and Management

Both HR and management need to be involved in and engaged with the process of finding the best company-wide secure coding training solutions. The main task is to teach developers and software engineers how to change secure coding habits. It means for example that a secure coding awareness raising campaign should be launched first, in order to smooth the mandatory sense of the training and motivate participation in the program. Both on-line and on-site classroom training options should be involved to provide the most effective best combination of different types of learning solutions.

Know Your Enemy

If you don’t know your enemies’ techniques, you won’t be able to protect yourself. Developers, programmers, and software engineers have to evolve a way of thinking that will let them proactively detect vulnerabilities. It’s no longer possible to let one team handle the product development, then go in and reinforce security — you have to have hackers in mind from the start.

Therefore the glory of secure coding education is to organize so-called capture-the-flag challenges between groups of programmers to compete each other, who is better in cybersecurity challenges both on the offensive and defensive sides.

Motivation

People need to be engaged and motivated to follow security rules. The real challenge for HR and management is to find trainers, teachers and security experts that will get people not just to understand the dangers, but also to want to learn new, secure coding habits. Motivation is the key to the human side of cybersecurity.

DID YOU KNOW? #2
The first country to use cyber power as a weapon was the Soviet Union. Actually, they weren’t the ones carrying out the job – they just “accepted” someone’s services. In 1986, a German teenager, Marcus Hess, hacked an internet gateway at Berkeley to access ARPANET. He cracked over 400 military systems, including computers at the Pentagon, so he could sell the data to the Russian secret service. At this point, computer viruses became less of a funny prank and more of a severe danger.

Selecting the most suitable secure coding training solutions

“Give a man a fish, and you feed him for a day. Teach a man to fish, and you feed him for a lifetime.”

In-house classroom training is a solution that “teaches your people to fish.” But companies can’t all pile on the same boat — they have their own individual resources and needs. So before you start searching for expert secure coding trainers, you should think in detail about your expectations and your unique circumstances.

What do you need to think about in advance?

During a secure coding training, attendees receive up-to-date knowledge about secure coding that they can apply to their own specialty. Basically, the task is to teach them how not to code, meaning how not to leave behind easily exploitable vulnerabilities. However, the process isn’t one size fits all.

Courses should be tailored to different audiences and levels of difficulty. For example, you can have a 3-day short course and a 5-day master course exclusively for developers and testers in finance and banking. Even though the basic techniques are overlapping, but there are definitely differences in different programming languages, like secure coding in C, C#, Java, PHP, Pyton, Node.js or alike. Moreover there are industry specific differences in regulations and even in exercises. Ideally secure coding should be customized to fintech, automotive, healthcare, telecom or other industries too. So, the selection of the best secure coding training provider should check if they will be able to cover the end-to-end requirements of company-wide education programs. We, at SCADEMY Secure Coding Academy, are determined to focus on and only on secure coding education, but within that are we cover all fields and all requirements. Our reputation is dependent on the security of the systems we leave behind, and global commerce is dependent on cybersecurity at every level. Don’t forget that the vast majority of vulnerabilities are avoidable by some days of training if done well. We can help in organizing your company wide secure coding programs from the first steps to the always up-to-date knowledge you need.