NEWS AT SEI
This library item is related to the following area(s) of work:Security and Survivability
This article was originally published in News at SEI on: June 1, 2002
Shawn Hernan, a team leader with the CERT Coordination Center at the SEI, spends a good part of his day tracking and analyzing the vulnerability reports he receives from software vendors who have discovered security-related problems in their products. Since January, Hernan and his team have logged more than 1,600 new software vulnerabilities—a staggering number for any system or network administrator to evaluate and possibly act on. The current system of issuing copious warnings and expecting organizations to keep up, Hernan says, is quickly becoming unrealistic.
"It is nearly impossible, and extremely time consuming, for anyone to stay current on these reports and patches. Just reading through them and seeing which ones affect you can take weeks," Hernan says. "We need to look more at preventing them in the first place."
In an effort to help organizations reduce vulnerabilities in software, Hernan has teamed up with members of the Team Software Process (TSP) Initiative at the SEI to consider how improved software quality methods such as the TSP might help developers detect and prevent security defects earlier in the software-development life cycle. Hernan has also developed a list of the five common causes of software defects, which he hopes will help organizations begin to improve their security practices.
According to CERT Coordination Center statistics, more than 90% of software security incidents are caused by attackers exploiting known software defect types.
The TSP provides a framework, set of processes, and collection of disciplined methods for producing quality software. With TSP, software teams can produce near defect-free software with typically fewer than 0.1 defects per thousand source lines of code (KSLOC). Given that a vulnerability is a flaw or defect in a piece of software that allows an intruder to read, modify, or disable the way that software functions in a system, using TSP could yield significant results. "We know that TSP reduces overall software defects. We want to see if it can reduce security defects in software," says Noopur Davis, a member of the TSP team who is working with Hernan. "The question is, how do you design, implement, review, and test software for security?"
The answer lies, in part, in extending TSP for secure systems. Davis said this extension of TSP would support secure software-development practices, help predict the likelihood of security defects by creating specific, security-related measures, and be dynamically tailored to respond to new threats. In the coming months, Davis and her team will explore how applying the TSP can help developers identify and remove vulnerabilities during the early stages of software design and development.
Why are so many software vulnerabilities being reported? The problem, Hernan and Davis agree, is not a lack of available data, knowledge, training, or support regarding security practices. Incident response centers (such as the SEI's CERT Coordination Center), guidelines, checklists, best practices, and other useful materials are widely available. "I have come to believe that a vulnerability is not so much a property of software as it is a property of an organization," Hernan says.
Meanwhile, Davis is curious to see how simply applying TSP might help organizations eliminate more defects, including potential vulnerabilities. For example, most operating systems and commercial software applications are known to have more than 2 defects per KSLOC, or 2,000+ defects per million SLOC. Even if only 5% of these defects are potential security concerns, there are 100 vulnerabilities per million SLOC. "That is still a huge number of defects," she says. "There is significant potential here for TSP to reduce those numbers."
Although there are thousands of known software vulnerabilities, Hernan has been able to categorize them into five main causes (listed below). In addition to realizing potential improvements through applying disciplined processes, organizations can have a better chance of creating secure applications and systems by programming software with these causes in mind:
Davis and Hernan are currently seeking organizations to take part in pilot projects to help develop specific technical solutions—new design and implementation practices—for security, review methods and checklists, and tools. If your organization is interested in participating, please contact the SEI.
For more information
Please tell us what you
think with this short
(< 5 minute) survey.