One of my favorite television shows these days is one of the highly successful USA Network dramas called “White Collar.” The plot revolves around a stellar FBI agent and a highly educated criminal mastermind, who specializes in art thefts and forgeries, whom the FBI agent brought to justice. The FBI agent then turns the criminal into a consultant to the FBI and together they go on to flourish as a crime-fighting team, clearing 94% of their caseload.
White Collar is hardly the first plot to feature such a team. Leonardo DiCaprio’s “Catch Me if you Can” featured a young forger named Frank Abagnale, Jr. who, after his capture, not only assisted the FBI in uncovering bank fraud cases, but also developed many of the security features used by banks today to prevent checks from being duplicated…and in Abagnale’s case, the story is true!
His is not the only case of an organization using a criminal to develop security measures. The entire Black Hat Technical Security Conference is built upon the premise that if the industry can understand the minds of hackers, they can defend against them.
Perhaps security vendors need to hire more hackers to beef up their security software.
Fox Watching the Hen House
Hacker insight might have been beneficial to security vendor Symantec, which confirmed this week that previous versions of its source code had been stolen and that its own servers were breached back in 2006. The thefts mean that the source codes for a number of security applications in wide distribution – including Norton Antivirus Corporate Edition, Norton Internet Security, pcAnywhere, and Norton GoBack had been compromised.
One security expert, Scott Crawford of the consulting firm Enterprise Management Associates, told SC Magazine that:
“…just because a product is a few years old, it does not mean the code has not been repurposed for current products. While Symantec has indicated that much of the code was old, he said, it has not said if any of the old code is part of current offerings. In fact, it is very common to repurpose code, particularly when the code is designed to solve a specific problem,…”
Crawford said such things are becoming more commonplace and it is unclear whether or not security application providers “are doing an adequate job of managing their own risk.”
The place to start managing that risk is by ensuring the structural quality of the application software.
Securing the Foundation
When it comes to the structural quality of application software, I often defer to an analogy of the way a house is built. The first step is to ensure the foundations is solid, free of cracks and infiltration points, then a sturdy frame is constructed on top of it with the outer layer of the house build around and on top of it.
At the foundation of software - security applications included - is its code and as Jim Bird says in his "Building Real Software" blog, half of the problems with security "are security coding defects — basic mistakes in coding that attackers find ways to exploit."
Unfortunately with software, current demands to produce executable applications quickly means new apps are frequently built on top of old software…and therein lies the problem. Often developers either do a cursory manual check of the quality of that software or simply take for granted that the existing code was structurally solid. Unfortunately, cyber thieves are smarter today than when the foundation software was built – even if that was just 18 months ago – so there may be holes in the original software that can be exploited or, as in Symantec’s case, they could already have access to that code and use it to infiltrate the new applications it is built upon.
Once in, hackers can continue to affect future generations of applications built upon their pilfered and altered code. Companies therefore need to step up their efforts to assess the structural quality of code being build upon before any new versions are authored.
Bird adds that, "Focusing on preventing, finding and fixing these mistakes is a good place to start a software security program." Something like automated analysis and measurement could provide management the type of "focus" needed to track, incentivize and ensure that security, stability and efficiency traps are not introduced either inadvertently or maliciously into applications…a particularly important concern with security software.
Being able to see the potential threat means it can be eliminated it before it becomes a future security problem…or in the case of a security vendor, before it becomes a security “security” problem.