Risk in code reuse

We all have to become more efficient in everything what we do or get extinct like dinosaurs – except that in our case we will be replaced by more efficient competition or even potentially by machines. In everything we do, we have to follow more with less principle all the time. Cyber security is not an exception here. To make matters worse – number of cyber security risks and challenges seem to be ever-growing and it is not that hard to get overwhelmed with all aspects of it.

Based on the field experience – when talking to customers, I always ask about cyber security aspects of their source code and software development – most of the customers say – we don’t do any software development and we don’t have any source code. However, when we start a review of the estate we find a massive number of applications that include different degrees of open source components or other type of custom written code and applications.

Reality of a software development is reusing of code to deliver solution faster – do more with less. This process leads to spreading of bugs and vulnerabilities without even any trace. Reviews, conducted by researchers on code published on GitHub and StackOverflow, found astonishing number of vulnerabilities, some of them could be tracked to insufficiently verified web tutorial. For e.g. researchers from Security in Telecomunication -TU Berlin, CISPA – Saarland University, Trend Micro and Institute of Systems Security – TU Braunschweig –reviewed 64,415 PHP code samples and found 117 vulnerabilities that have a strong syntactic similarity to vulnerable code snippets present in popular tutorials.

Well, there is a solution – conduct a risk assessment and prioritize your effort. Risk Management, when introduced properly, would always follow one of the established frameworks – yes, we reuse checklists and methods from trusted sources. ISO27001, elements of COBIT or any other reputable source may significantly reduce effort required.

The following items addressing application and source code security should be included in the risk assessment:

  • Vendor assessment including software supply chain, change management, maturity of  the software life cycle – if due diligence is not performed – it surely increases risk level which potentially need to be addressed.
  • Vulnerability assessment results including penetration testing should be performed regularly and after every major change – including all types of applications, not just web. There is no excuse. It’s worth to consider to conduct it continuously versus once or twice a year. By the way – performing a vulnerability assessment once a year in my opinion is a waste of time and money – it is not enough.
  • Implementation of secure coding principles like for e.g. one released bySoftware Engineering Institute for C++ coding
  • Patch management methodology – for example each second Tuesday of the month Microsoft release patches. When most of the system admins do apply them? Some even after a few months while cyber criminals will have them disassembled and use this information to produce exploits – within couple of days or maybe hours.

Risk Assessments will not only detect risks. They will show companies which risks can be accepted, which risks require remediation and in which order it shoul be performed.