Monday, December 03, 2001

News: Got hacked? Blame it on the software
There's only one problem with software development these days, according to security analyst and author Gary McGraw: It isn't any good.

McGraw, noted for his books on Java security, is out with a new book that purports to tell software developers how to do it better. Titled Building Secure Software and co-authored with technologist John Viega, the book provides a plan for designing software better able to resist the hacker attacks and worm infestations that plague the networked world.

At the root of the problem, McGraw argues, lies "bad software." While the market demands that software companies develop more features more quickly, McGraw and others in the security field are sounding the alarm that complex and hastily designed applications are sure to be shot through with security holes.

McGraw's top five software-security nightmares
1. Buffer overflow
An attacker floods a field, typically an address bar, with more characters than it can accommodate. The excess characters in some cases can be run as "executable" code, effectively giving the attacker control of the computer without being constrained by security measures.

2. Race condition
"The idea is that you have something that should be done in an atomic fashion, all at once, that is done instead in multiple steps, and an attacker can sneak in between the steps and change things."

3. Random number generation
"The problem is that computers are predictable. And predictability turns out to be a big problem for cryptography, because what you want for cryptographic keys is real randomness, not pseudo-randomness. That's a mistake that a lot of programmers make."

4. Misuse of cryptography
"A lot of programmers think they can roll their own algorithms. But it turns out that crypto is a highly sophisticated art, and you need to be trained to do it."
5. Trust problems

"Not validating input, or (putting too much trust in things) sending you a message. No. 5 also could be authentication; it's a toss-up."
http://www.zdnet.com/zdnn/stories/news/0,4586,2829102,00.html

No comments:

Post a Comment

con·cept