Developers and security testers need to pay special attention to vulnerabilities of their source code and in particular when using open-source components. The ransomware often takes advantage of vulnerabilities or flaws in:
- product or application,
- communication systems,
- encryption systems, and
- proprietary protocols.
The US Department of Homeland Security recently revealed 90% of the security breaches happen due to vulnerabilities in the code. Malicious source codes can strike deep at the infrastructure layer and affect multiple products and services at once. The Heartbleed bug, for example,
affected:
- websites,
- networked gadgets and appliances,
- online services that use Transport Layer Security (TLS) protocol to identify and authenticate the user, and
- client-side software.
Here are some ways in which security experts can keep their networks safe from source code-level attacks:
Be Vigilant about Data Connection
Many start-ups and small businesses these days work on Virtual Private Networks (VPNs) which allows them a private network within the publicly available Internet. One big risk of using hundreds of VPN for Android apps available for download is that they pose issues with the user and data security. Even though the Google Play Store only hosts apps verified by Play Protect, many of these apps are still not safe to use.
Many of the free VPN apps sell users’ data and online behavior reports to the advertisers. A security testing team should read the ‘Privacy Policy’ of the free VPN apps for Android and check how transparent they are regarding what they do with the data they collect.
The worse risk that free VPN apps present is that they may contain a malicious source code embedded deep within the app source code. This source code may not only monitor your online activity but may also install spyware on your mobile device. Hence, you should only install free VPN apps available officially on the Play Store and hosted by a reputable service provider. VPN for Android apps available in the form of APK files can be malicious. You should only install them after setting up a good antivirus software on your smartphone first.
Automated Scanning of the Continuous Integration and Continuous Deployment (CI/CD) tasks
Developers working on large-scale, enterprise-level software apps often share resources. They work within source code repositories (known as ‘repos’) which are exempt from scrutiny by other development, testing, and QA teams. Similarly, when multiple developers work on a single module, leaders use versioning apps to quickly test the emerging versions of the code and roll it back if required.
Security testers should use vulnerability scanning tools to avert the common security issues in such cases. A popular developer tool called Jenkins, for example, can detect when a coder submits a change to an app. It then triggers a test suite. If the scanning is successful, the tool automatically deploys the successful version of the app.
To automate a web app test, a virtual user bot logins to an account like a real user. Developers or QA engineers who script automated CI pipelines enter the login credentials for the virtual users into scripts. These scripts are not encrypted. They are saved to repositories like Apache Subversion or GIT or web server accessible by the public like GitHub. A source code scanner can detect such vulnerabilities and prevent hackers from looking in at these scripts.
Prevent Buffer Overflow
Heartbleed exposed the details of hundreds of users of popular online services on the OpenSSL software using the buffer overflow vulnerability. Buffer is a space for memory allocation. In languages like C and Assembly, no automatic bounds checking is in place to see that the number of bytes to be written or read fits the buffer. If the data overflows past the buffer, extra data is read. It may also overwrite the contents of subsequent addresses on the stack.
To detect buffer overflows, security testing teams should pay special attention to code where buffers are used, modified, and accessed. They should also check the functions where input is taken from the user or an outside source.
It is best to use languages and platforms that do not have buffer overflow vulnerabilities, such as Java, Python, and .NET.
Vulnerabilities in the source code and the protocols expose businesses to serious risk. Due diligence and multi-part security strategy can mitigate these risks considerably. Identifying risks in time can help testing teams to put patches in place and in conforming to security requirements.