Keeping up with Software Security
Posted by Steve Lay
Readers of this blog will be familiar with many of the techniques that can be used to improve the security of your testing programmes. Part of that picture involves securing the software you use. With Cyber-warfare very much in the news I thought I’d take this opportunity to tell you a little about some of the challenges involved in keeping up with the bad guys.
It seems obvious that we all want the software we use to be secure, but security isn’t just a feature that can be implemented once like a new menu option in an application. The security landscape is constantly changing and software needs to change to remain secure.
Anyone who uses a PC or a web browser will know that software updates are pushed out routinely. Even my mobile phone receives updates on a regular basis. It isn’t always easy to tell why software is being updated, but in many cases the updates do contain important security fixes that address newly discovered vulnerabilities.
To give just one example of why this environment is so challenging, in late December 2011, the US Computer Emergency Readiness Team (US-CERT) issued a bulletin concerning a very basic weakness in many web applications (See http://www.kb.cert.org/vuls/id/903934). The weakness involved the parameters passed to web applications by your browser when you fill in an online form. A malicious user could cause the web server to slow down by sending it carefully selected parameters. There was no threat to the confidentiality of the information on the server, but there was a threat to the service availability. Suddenly it was possible for a suitably motivated individual to take almost any website offline. This type of attack is known as a “Denial of Service” or DoS attack.
Fortunately, software developers quickly addressed the problem and patches were distributed for affected systems including the frameworks we use. The team that runs Questionmark OnDemand was quick to act and the patches were tested and deployed very rapidly.
Although the breadth of systems affected was unusual in this case, in many respects this was a typical incident. Nobody sets out to make software that is insecure, but as we learn more about computing we discover new ways that systems can be misused. Keeping software up to date is critical to maintaining security. Users of Questionmark On Demand can be confident that our team of system administrators puts a very high priority on keeping the service current. You can read more about the trustable platform we use for Questionmark OnDemand in our white paper, Security of Questionmark’s OnDemand Service.
I’ve chosen to highlight a fairly dramatic case in this blog post, but sometimes we do get more warning. Cryptography is an important tool in the security arsenal. Computer scientists and mathematicians develop the algorithms on which cryptography depends. Cryptography doesn’t make it impossible to read confidential information; it is designed to make it impractical with the technology available today. As computers get faster, the codes become more vulnerable until eventually they have to be retired and replaced with new, stronger codes. You can actually see this effect in the results of the RSA Challenges. The RSA offered prizes to people who could crack codes of increasing strength. Just looking at the years in which each prize was awarded gives a feeling for the dynamic nature of this field: 1991, 1992, 1993, 1994, 1996, 1999, 2003 and the last prize was awarded in 2005 (US$20,000).
This may all sound esoteric, but behind the scenes our developers are working on issues like these to ensure that Questionmark technologies continue to meet with the strictest requirements, and that we stay ahead of the code-breakers.