What Should I do about Software Security?
What do we do?
Companies often ask, “What do I need to do to better protect my software?” And it of course depends on a great many things. That’s where having a trusted partner can help: we help you sift through the details, pentest what you have, and help you engineer a better tomorrow. Here are a few basics to get you thinking about software security.
Native Apps
Native apps are typically written in C/C++. The big risks are memory corruption, along with the typical design, authentication, and encryption concerns common to all apps. Thus, mitigating control-flow hijacks is top of mind. Buffer overflows, Use-after-frees, and more are the types of vulnerabilities to look out for. Traditional protections include ASLR and DEP to ensure that attackers cannot easily overwrite a pointer and change program flow. Return-oriented programming (ROP) however was the way attackers have gotten around that. Stop-gap solutions like EMET monitored critical APIs to stop ROP… but didn’t fully work. Thus, CFI[2] (control flow integrity) has become the path forward. Microsoft is leaning on CFG (control flow guard) in Windows 10, to overtake EMET. CFG isn’t perfect either[3], but it’s a step in the right direction.
Managed Code
DevOps is the rapid engineering and release cycle that web apps are commonly built in. The threats here are different but no less pressing. There’s so much code, needed so soon, that proper testing is often not possible. Command injections, client-side scripts, and all the typical design issues are common flaws. Using the right frameworks, best coding practices, automated scanners, and perhaps WAFs (web application firewalls) are common protections. Pentesting final products is a good bet too, as always.
Isolation
It’s possible to put most apps, rather native or managed into a sandbox (lesser privileged jail) or VM. That is always a good idea. Popular apps such as browsers do this for rendering tabs, to minimize the risk should a vulnerability be triggered within that heavy processing (images, movies, scripts, etc.) and risky environment. Least privilege is still a good defense-in-depth strategy.
Conclusion
For a more detailed look at these concerns, Take a look at “Security: for Hackers and Developers” on PluralSight or Contact Us to chat.
Connect with us on Linkedin or Contact Us to set up a meeting.