When software security flaws can it is useful to examine why building secure software is so difficult. fetch over a million dollars All our work in security rests on these difficulties and this article aims to collect the specifics inherent in application security so followup articles can offer solutions. It is not meant to be defeatist. Writing software is hard Securing software is hard but even writing it somewhat correctly is difficult. Finding security bugs in a subcategory of finding bugs in software. Software in a , a or a should probably be perfect but for the vast majority of software time to market, more features and other goals understandably come first. pacemaker satellite battleship We know it is possible for us as human beings to write flawless software, it is just really hard and often not prioritized. An example optimized towards quality/zero bugs is which is appropriate because the cost of a bug in that software is very high. is another. NASA and the curiosity rover Djbdns Unknown unknowns Testing shows the presence, not the absence of bugs — Dijkstra in 1969 report If we knew all the vulns we were searching for it would obviate the need to look in the first place. The number of vulns in the 100,000 lines of code comprising service $foo is unknown ahead of time. The universe doesn’t give us a yardstick to measure against, there is no “you have found 16/27 vulns, keep looking!” progress bar. While writing bug free code is difficult enough if we managed to accomplish that it its even harder yet to that it is bug-free. is hard. NIST has about security + formal verification which is the state of the art in this area. prove Proving a negative an awesome paper The absence of evidence is not necessarily . evidence of absence Inconsistent Even the process of measuring the full set of human-findable bugs in a codebase differs between who is looking, how, and . what they had for lunch I ran a trial at Facebook where 10 security consulting companies audited the same code. Code my team had already carefully audited. All 10 found the same pool of shallow bugs (about half) but the remaining issues were all over the map, including one we ourselves had missed. Each person brings their own long tail of security knowledge to bear. Contrast this with something like performance (another attribute of “quality” in software) where it is trivial to measure progress. Inconsistent is another way to say probabilistic. Like mining for gold finding security bugs involves expending effort for a possibility, not a promise, of discovery. Opposition We don’t always get to know who our competition is. It is not FUD to say nations may actively to do this. be trying I sometimes think of product security as a race. A race for us to find the lurking security flaws before someone else does who would use them for harm. Weighting Consistently judging the severity of a vuln is hard. We have this discussion every week at work when rewarding bug bounty issues. Is one really good account takeover bug worth 10 less critical bugs? 100?Its hard to agree on this among any two security engineers but is a prerequisite to optimizing time investment in the areas that will benefit holistic “security” the most. is currently the best answer we have to grade the criticality of bugs. CVSS Constraints Despite best efforts and big budgets we will never be able to deeply review the whole codebase for security flaws. If we somehow did by the time we completed it will have changed significantly. This isn’t fatalism but fact. Timeline Security is often on a longer timeline than you expect. Its possible to harm security with a decision whose result wont arrive for years. is how hackers start their afternoons. We’re a part of the family. We are now and happy to opportunities. Hacker Noon @AMI accepting submissions discuss advertising &sponsorship To learn more, , , or simply, read our about page like/message us on Facebook tweet/DM @HackerNoon. If you enjoyed this story, we recommend reading our and . Until next time, don’t take the realities of the world for granted! latest tech stories trending tech stories

Discovery

Facebook

Fetch

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Why product security is hard

Too Long; Didn't Read

Companies Mentioned

Collin Greene

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Why product security is hard

Too Long; Didn't Read

Companies Mentioned

Collin Greene

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES