“We’ll do anything to fix cybersecurity – except build software correctly”.
[ with thanks to my CTO, Eric De Grasse, for the hard part – parsing the code ]
24 October 2022 (Paris, France) – There is a maxim in the cybersecurity industry, best articulated by Elio Grieco, one of my team’s brilliant, creative “must follow” chaps on Linkedin. Elio has superb computer skills from programming to usage, and a deep knowledge of cybersecurity issues. As Elio recently noted:
“We’ll do anything to fix cybersecurity – except build software correctly”.
It is the same old story. As I have noted numerous times, in software developers don’t have a choice. Speed becomes a business imperative for survival and to stay competitive. Software development is in this grinding environment. Forces always seem to be pulling in opposite directions, between management, client, and developer ideologies. We have developed a culture of “agility” without always retaining the appropriate balance with quality and security. We should – but never will – look back to basics and ensure fundamental steps in development, even if accelerated.
And a bigger issue, again calling on Elio Grieco:
“It’s also helped that between ToS, EULA, and other custom vendor contracts software companies have been able to completely shift liability to the customer. Software is delivered “as is” with “no warranties, express or implied”. No other engineering profession has been as successful in abdicating their responsibilities to their customers”.
But the biggest issue right now is that the increasing complexity of cloud, multi-cloud, and hybrid network environments and the rapidly evolving nature of adversary threats has exposed the Achilles heel of traditional network cybersecurity defenses. In a recent chat I had with another cybersecurity maven Steve King:
“Traditional defenses with multiple layers of disjointed security technologies are ineffective against modern threat actors. We need a better way to provide secured, unified-yet-granular access control to data, services, applications, and infrastructure. Some skeptics may not want to hear this, but with impaired visibility, risk-ignorant access decisions, and manual detection and response, we cannot prevent breaches.
Size and complexity are the enemies of cybersecurity. In cybersecurity we are always faced with the chance that our system harbors some, unknown vulnerability – especially in code – and the possibility that vulnerability will be discovered by some malicious actor who will then use it against our system, as well as other, similar systems. Cybersecurity vulnerabilities are the result of two kinds of errors or defects: design errors and implementation errors”.
A design error is where the functionality of a system or component is not properly and comprehensively analyzed and understood so that the resulting design does not cover all possible use cases. Analysis of a system requires understanding and capturing all the possible ways that a system will be used, as well as the limits of how the system will be used such that only the planned functionality is enabled by the system. The design is the plan for how the system will implement the functionality that satisfies the analysis results. The design captures the structure of a system or component and the breakdown of the partitioning of the major functionality.
Implementation is the realization of the design. The development of the system or component using software development tools such as editors and compilers in the specified languages and frameworks. All configurations are also included in the implementation. The development process often includes: a build and integration processes, coding standards, design patterns, code reviews, and testing as methods to increase the likelihood that the resulting implementation is as true to the design and has the least number of defects possible.
And that brings us to code, open source and malware.
As we have noted in numerous posts, there has been a frenzy in adopting open source – and the concomitant blind spots.
NOTE TO READERS: in brief, open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized software development model that encourages open collaboration.
The mantra is that open source delivers high value software. Open source provides useful information with metatags. These data can be cross correlated to provide useful insight for investigators. Open source has even made it easier for all of us to follow the Ukraine War to get better information than those in war fighting hot spots which I have covered here.
So open source is the answer. Well, except when it’s not.
If you want a reminder about the slippery parts of open source information, navigate over to “Thousands of GitHub Repositories Deliver Fake PoC Exploits with Malware”. The write up reports:
“According to the technical paper from the researchers at Leiden Institute of Advanced Computer Science, the possibility of getting infected with malware instead of obtaining a PoC could be as high as 10.3%, excluding proven fakes and prankware”.
Not a big deal, right? Wrong. These data, even if the percentage is adrift, point to a vulnerability caused by the open source cheerleaders, even me.
The write up does a very good job of providing examples, but many will be incomprehensible to most people who do not get into the weeds of cybersecurity and software development.
However, the main point of the write up is that open source repositories for software can be swizzled. The software, libraries, executables, and other bits and bobs can put some additional functions in the objects. If that takes place, the vulnerabilities rides along until called upon to perform an unexpected and possibly difficult to identify action.
Cyber security is primarily reactive. Embedded malware can be proactive, particularly if it uses a previously unknown code flaw. The most interesting part of the write up:
“The researchers have reported all the malicious repositories they discovered to GitHub, but it will take some time until all of them are reviewed and removed, so many still remain available to the public. As Soufian [a Dark Trace expert] explained, their study aims not just to serve as a one-time cleaning action on GitHub but to act as a trigger to develop an automated solution that could be used to flag malicious instructions in the uploaded code”.
This begs the question that what is really needed is not just remedial action on solving the code problem but addressing the workflows and verification for open source. And addressing the processing, and the systems. As one analyst noted, think about injecting Fibonacci sequences into certain quantum computer operations. Can the injection of crafted numerical strings into automated content processing systems throw a wrench into the works? The answer to this question is, “Oh, yes.”
Cybersecurity is a difficult profession/field to work in because it is constantly changing and evolving. New threats and vulnerabilities are discovered every day. The most difficult aspect of cyber security is maintaining continuity, as you will need to continue learning and staying updated with cyber security industry trends regardless of your experience level in order to stay competitive.
And, like most any other field, you must be willing to put in the required effort and time. But you need advanced math skills, problem-solving skills, and technical experience. Cyber security can sometimes be more difficult than programming because it includes many different elements, including programming itself. You must understand how to code, infiltrate code, and prevent infiltration. This is one of the most difficult aspects of cyber security.