Non-technical readers may be surprised to learn that software defects are the most common root cause of information security vulnerabilities. Whether through poor design, improper coding techniques, inadequate testing, or incorporation of third-party software modules of dubious quality; in many cases the threat vector is baked in before users install the software.
In 2002, the National Institute of Standards and Technology (NIST) commissioned a study by the Research Triangle Institute to examine the impact of software defects on our economy. The study found that software errors cost the U.S. economy an estimated $59.5 billion annually. Fortunately, over the last few years there has been an increased focus within NIST and industry on improving the software development process, including both more rigorous design guidelines, as well as, better testing processes and tools.
The discipline within computer science that addresses software quality is known as software assurance. It is the level of confidence that software will function as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the life-cycle (Committee on National Security Systems Instruction 4009 “National Information Assurance Glossary” (APR 2010). You can thank software assurance practitioners for the thorough techniques – developed in the 1950s-1980s – used in the development of safety-critical software used in aircraft avionics, railroad signaling apparatus, spacecraft, and nuclear weapon systems.
If you conclude that there must be a world of difference between the way safety-critical software is developed and the process used to build a web storefront to accept your credit card payment, you are unquestionably on the mark. However, software defects are seldom included maliciously as a distinctive unadvertised feature. Rather, they are typically introduced inadvertently as the result of development cycles that are more focused on getting a product to market rather than delivering quality software. Remember the adage “Good, fast, cheap. Pick two”?
Fortunately there is help for developers working outside of highly disciplined environments. NIST has a wealth of resources and testing tools and makes the National Vulnerability Database available to the software development community. Another useful resource is the annual list of the Top 25 Most Dangerous Software Errors published by The SANS Institute.
A SQL Injection is Not a Flu Shot
Near the top of the SANS list for the last three years is SQL injection (improper neutralization of special elements used in SQL Commands. This attack is primarily used against applications that use web-based forms to pass data to a database. In this attack, a hacker enters malicious SQL code into the form instead of benign transaction data; the code is then passed to the database in one or more of the form’s fields.
For example, instead of receiving a credit card number in the appropriate form field the database receives a command string that in the SQL language tells the database to return a web page with all the credit card numbers in the database. You, as a customer of the company whose web application has been compromised, learn only much later that your data has been sold to some very shady people.
In 2011, SQL injection was responsible for the compromise of many high-profile organizations, including Sony Pictures, PBS, MySQL.com, security company HBGary Federal, and many others. As a developer you do not want to be responsible for a malicious penetration such as this, so make use of the resources above and avoid this and other dangerous errors.
Before I go, I’ll share some SQL injection humor…
One clever hacker is reported to have been very creative in using SQL injection to avoid traffic citations. Realizing that speed traps use cameras that automatically register speed, take a picture of the license plate, and then use character recognition on the picture to create a lookup in the DMV database, he changed his license plate number from ZU 0666 to (‘ZU 0666′, 0, 0); Drop Database Table which, when processed, would delete any database records involving his plate numbers.