Hardship in producing a secure software

Not a single developer, analyst, project manager or business owner want to own an insecure software. Just like customers would never want to trust any insecure application with their valuable data. Having or using a rock solid secure application is a desired thing, but is it possible at all and what can we do about it?

Image for post
Image for post
Is secure software somewhere around the Never Land?

This is Bedirhan from the CodeThreat team, and in this post I’ll try to pinpoint difficulties of producing a secure software. First thing first; the number of new vulnerabilities published each year has a quite disturbing but factual outcome;

It is pretty hard to write and maintain a secure software. …

Program analysis fight against imperfection

It’s impossible to provide a correct solution to non-trivial security questions for security automation tools. Nevertheless, this limitation doesn’t actually undermine their value being great helpers to make our applications secure. Without the automated tools it’s quite hard to keep up with the speed of current development practices.

That being said, for example, we can’t build an algorithm to check whether a target program is SQL Injection free or not.

Image for post
Image for post
Imperfection is an inherent part of an automated security analysis solution and sensitivities are mechanisms to increase the precision of these tools (with a cost)

Sure, there are good tools to check this interesting property, however, never with %100 certainty. Please read our previous blog post for a proof. …

Security testing automation is stranded by Gödel

Everyone who has dealt with developing a comprehensive automated security testing tool knows that it is a challenging task. Staying on top of new security bugs and making the tool performant is one thing and keeping false alarms (false positives) and missed bugs (false negatives) as low as possible is something else. But there’s a one more and inherent limitation to any automated software security testing solution; SAST or DAST…

Image for post
Image for post
Sometimes, the most definite answer we can get out of a security testing tool is just a MAYBE

As a side note, we have written about soundness and precision in one of our earlier post and you can read about them in order to learn some fundamental terms about the quality of automated security testing.

There’s more to it than meets the eye…

Building is harder than breaking. Well, at least most of the time. Building a quality software takes months maybe not years. And I’m not aware of a security weakness finding which takes a few weeks let alone months. Having said this I also have to admit that I don’t have any first-hand government level, cyber warfare exploit experience. So, what do I know… Nevertheless, A similar comparison is possible with fixing and hacking. Most of the time the fixing might seem easier, but it’s not. There are various difficulties a developer has to tackle to mitigate a security bug.

Image for post
Image for post
Defense is harder than attack. We, developers, should be prepared.

This is your host Bedirhan here and I’ll try to list the annoying but fruitful actions to follow when eradicating a security bug in your software. We don’t want to get rid of just the symptoms but the problem for good. …

A journey of a software security request…

This is the story of a community triggered security request which was worked by the related project team and fixed by increasing the awareness through the sample code and the official documentation over a two-years period.

This is Bedirhan and in this post I’ll try to give you a pretty nice example of different phases and views of handling security concerns in real life. By the way I came across this example purely by chance and it was somehow exhilarating to dig the story further.

Image for post
Image for post
This is a relentlessly dug uncovered story of a security request

It All Starts with Curiosity

Here’s the starting point of the story. I was trying to write a file upload code example and was looking for alternatives. And the search led me to a blog post of a popular .NET Core package, elmah. It’s a well-known 3rd party package for easy…

Do we actually need it for secure software?

Before I draw all the flashes of anger from all the software security-aware professionals out there, I insist you give some time to contemplate on the subtitle for some time.

Input validation is the heavily recommended technique in order to prevent malicious attacks against our software albeit from analyst and developer perspective it is sometimes treated as a burden. In this post, you can find a discussion over whether we can write secure code without using input validation whatsoever.

Image for post
Image for post
Do we actually need input validation when securing a software?

This is Bedirhan and I’ll present some solid examples that allows to ask that “obnoxious looking” question in a short while. …

Automation is a key process for secure software development. It is a requirement because we are extremely short on resources and we need to catch-up with the speed of development to production. This is Bedirhan and in this post I’ll try to explain what security automation brings into our dubious battle against hackers. Equally importantly, I’ll try to list the stuff we should know about any security automation technology so that we never assume that we win the battle when we have them in-place.

Image for post
Image for post
Automation: A vital piece of the security puzzle that we should understand well

We produce huge amounts of code and it should be tested, deployed & maintained. Sure, we can build efficient processes for humans to follow to handle these tasks, however, those are no good and fall short when done manually. …

Implement, Measure, Improve…

An intrinsic part of our security static code analysis solution is benchmarking. Obviously, for such a complex and undecidable [1] area of computation, we needed to have a yard-stick to measure our progress, quality and compare our approach with others. This is Bedirhan and I’ll try to give an overview of one of the benchmarking projects [2] we produce and continuously use in our CodeThreat solution.

Image for post
Image for post
Hermann Rorschach used ink blot images to evaluate a person’s personality characteristics

As a personal note, in the ooold days I tried the same with web application crawlers and it turned out to be a very prolific open-source tool for benchmarking web application security scanners. …

Over a distributed series of posts, we’ll try to explain some of the fundamentals of static code analysis. Armed with this information, it will be easier for security professionals, developers to comprehend and perhaps compare the internals of such tools, and CodeThreat is one of them.

This is Bedirhan and in this post, I’ll go through a few important attributes used to explain output quality in program analysis. Moreover, some of these attributes describe how tools approach to the static code analysis problem.

Image for post
Image for post
List of security bugs identified by running a static scan against Enterprise-BackOffice application.

Let’s first start with these quadruple; True Positive, True Negative, False Negative and False Positive. We may be already familiar with the last two, but especially the last one. …

Yesterday, I had to explain what I do to a group of people and had a really hard time expressing myself puffing and sweating. The topic was program analysis. In my specific case, it was analyzing source code to find potential bugs without actually running the code.

Designing and implementing a program that can analyze other programs is not easy but it is equally challenging to explain the details to previously non-interested people.

This is Bedirhan and here’s my second take with an intuitive example that may explain the basic process.

Image for post
Image for post
Static code analysis is pretty much like having a breakfast

Assume that a successful brain surgeon has the following breakfast routine. It may look like almost robotic but as you might guess she is extremely busy. …



CodeThreat is a static application security testing (SAST) solution. Visit codethreat.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store