Micro Focus Fortify is proud to be the exclusive sponsor of the TestGuild Security podcast hosted by Joe Colantonio. This weekly podcast, dropping every Thursday, aims to be a 30 minutes or less, interview-style series speaking with some of the top Security Testing experts in the field.
The latest episode of the TestGuild Security Podcast, Understanding the Most Common Secure Coding Standards, features Arthur Hicken. Arthur Hicken has been involved in automating various practices at Parasoft for over 20 years. He has worked on various projects involving the software development lifecycle, software security, complex web applications, and integration with legacy systems. Arthur has helped IT departments at Cisco, Vanguard, Motorola, and other major companies improve their software development practices.
While I highly suggest you carve out 30 minutes to give this podcast a listen, until then, quoting Arthur, here are some key highlights I found intriguing during the interview!
What is Software Security?
“Software Security is more than just what we think about with system security. It's not antivirus, malware, firewalls, things like that. It's about building software correctly in the first place so that it can't be penetrated. So, to do that we use coding standards and static analysis to enforce the coding standards. Now there's a lot of different kinds of static analysis and it's important to understand because some static analysis things are either runtime or similar to runtime. Then there is what they call flow analysis or data flow analysis, where the application kind of simulates what's happening without actually executing. And then there's really preventative standards as well.”
Workflow of Static Analysis
“The first thing is you want to detect the error or write what problem am I happy? Maybe I'm leaking connections to the database. So now I'm looking at, well, why does that happen? Open connections are being closed, so there's resource leaks. So eventually I run out of connections. So we look where it happened. Where's the developer who forgot to close these connections or where's the process that's supposed to sweep through and close them periodically? And now we can put in a coding standard that says, hey, let's make sure that each open connection is closed before we exit, before you go out of scope or before we leave a function or before we log out. And maybe we have to put that into a finally block so that if some kind of an error condition occurs, that connection doesn't leak.”
“So, let's look at some of the biggies here. You commonly hear about the CWE Top 25. It's short for Common Weakness Enumeration, meaning it's supposed to be a common way for us to discuss vulnerabilities in software so that when vendor from Tool A and Tool B say that they're finding something, we know that it's the same thing. It's got this complex hierarchical tree of weaknesses and it's really mostly symptom oriented because it's designed to describe problems. Now that’s the top 25 or the most common, most dangerous things, but there's a secondary thing beyond the top 25.”
Arthur also gave his tale on the security standard, OWASP.
“OWASP has a thing called the Top 10. Again, it's not designed to be comprehensive, it's the 10 things that are most commonly occurring out there. They're not all statically analyzed. Number nine in particular is really about using components with known vulnerabilities or software composition analysis or component transparency. The latest version of this is 2017. They change it every few years, so it'll change from time to time. But a lot of the items stay the same. And there is again a risk scoring system that comes with it that has four key data points. One is exploitability. How hard is it for someone if I have this particular weakness to take advantage of it? Prevalence. How much are we seeing in the wild? Does it happen? And all the times that happen and rarely detect ability? If I have this weakness, can they find it? Because if they can't find it and it's hard to exploit, maybe I don't have to worry as much. And then there is the technical impacts, is it severe? Is it moderate? Is it minor? And so, putting together you get a really great risk matrix that helps me understand how these things are low, these things are high. This is what I should work on first.”
Hear the full interview, where Arthur discusses many security standards like OWASP, PCI, GDPR and more!
About Micro Focus Fortify
Fortify offers an end-to-end application security solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premise or on demand, offering organizations the flexibility needed to build an end-to-end software security assurance program.