ecurity can be a complex and often overwhelming issue. To ensure application security, not only must you prevent hackers from entering the system, but you need code in place that safeguards security should those preventive measures fail. There is no room for error. You can anticipate and prevent hundreds of security vulnerabilities, but if you overlook just one vulnerability, a hacker can wreak total havoc on your system.
These are the three most commonly exploited internal software weaknesses:
- Dangerously-constructed SQL statements (for programs that interact with a database).
- Buffer overflows (for C and C++).
- Uncaught runtime exceptions (for Java, as well as .NET-based languages such as managed C and C++).
The traditional industry approach to compensate for these weaknesses is to build code, then later perform a sort of "monkey testing" intended to simulate hacker actions. Testers attempt to design and execute a large number and variety of tests which pound on the application in as many different ways as possibleall in hopes that these tests will reveal a security vulnerability, which can then be remedied prior to deployment. If fastidiously applied, this strategy can expose many critical security vulnerabilities. However, such a thorough application of this strategy is difficult and time-consuming. The test cases that must be created to identify these security vulnerabilities are typically complex, and few teams have the time and resources to write the necessary number and range of complex test cases without slipping on their deadlines and budget.
A New Security Supplement
An easier way to protect code from these three common attacks is to apply preventative practices and start improving your code's security before you write test cases specifically for security verification. The Automated Error Prevention (AEP) Methodology provides an effective and feasible way to prevent security vulnerabilities through the automated application of industry-standard best practices, such as coding standards enforcement, unit testing, integration testing, and runtime error detection. Apply the recommended AEP practices throughout the software development lifecycle, and it's possible to remove many security vulnerabilities, as well as improve the overall code quality and reliability.
Introduction to AEP
The AEP Methodology is based on the AEP Concept, which is essentially to learn from your own mistakes and the mistakes of others, and then automatically apply that knowledge in the software lifecycle to make software work.
These are its five main principles:
- Apply industry best practices to prevent common errors and establish a foundation for full life-cycle error prevention.
- Modify practices as needed to prevent unique errors.
- Ensure that each group implements AEP correctly and consistently.
- Introduce AEP on a group-by-group basis.
- Ensure that each group has an appropriate supporting infrastructure.
- Implement a group workflow that ensures error prevention practices are performed appropriately.
- Phase in each practice incrementally.
- Use statistics to stabilize each process, and then make it capable.
This article demonstrates how to apply the AEP Methodology using three security vulnerabilities. Along the way, you'll learn several industry best practices: two for preventing SQL injection vulnerabilities, one for preventing buffer overflow vulnerabilities, and one for preventing uncaught runtime exception vulnerabilities. These best practices, which are based on lessons learned from previous developers' security mistakes, are an example of the application of AEP Methodology Principle 1
. Other available industry best practices are designed to prevent functional errors, robustness/construction errors, performance errors, and usability errors. Like all industry best practices, these security-related practices should be applied in the manner described in AEP Methodology Principles 3-5
. If you later identify security vulnerabilities that are unique to your project and that are not identified by the standard AEP practices, you would apply AEP Methodology Principle 2
: you would modify existing error prevention practices (or develop new ones). You would then implement the modified or new practices in the same manner that you implemented the industry-standard practices.
For more details about the AEP Methodology, including a blueprint for how to apply its five key principles to your own development group, see the AEP section of the Parasoft Website.
|Editor's Note: The author, Dr. Adam Kolawa, is the chairman and CEO of Parasoft, a vendor of development tools that integrate an error-prevention process. We have selected this article for publication because we believe it to have objective technical merit. No endorsement of Parasoft products is implied by its publication.