Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 29 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Flaws in code come from use of large libraries

by The Gurus
May 21, 2014
in Editor's News
Share on FacebookShare on Twitter

As most code is derived from code bases, if you only test your own code, you are missing a large part of the attack surface.
 
Speaking to IT Security Guru, Chris Eng, vice president of security research at Veracode, suggested that most software is not written entirely from scratch; only ten per cent of code is, and 90 per cent comes from other libraries and products, such as OpenSSL for example.
 
Eng said that as data breaches are getting tied to the application layer more and more, with such a small percentage of application code being written in-house there is a lot of vendor code that is being exploited.
 
“Look at the Verizon report and what was attributed to SQL Injection and application layer hacking,” he said. “Often it is in a component that you included, and I think a growing concern is CISO realise it is a major part of the risk profile and trying to bring it under control.”
 
“Focus on third party apps and test at the point of enterprise so you know what you are facing. In the last year or two this has been a more programmatic approach, but now we are focusing on the CISO and procurement to incorporate language, scanning and security rigour into the process.”
David Harley, senior research fellow at ESET, told IT Security Guru that he completely agreed with Eng, and that he could not think of any substantial coding project that he had worked on where he had not made heavy use of pre-existing code libraries.
 
He said: “Not that I was ever a career programmer, but a systems administrator needs to be able to handle a compiler. If I was still doing that sort of thing, I’d be even more scrupulous now about examining library source code, not just reading the documentation on how to call routines from it.
 
“However, the complexity of modern software makes it all but impossible to check every byte of the libraries and APIs you use.”
 
Harley cited Ken Thompson’s paper “Reflections on Trusting Trust”, which he said was published in 1984, but was still very much to the point.
 
“As Thompson said in his conclusion/moral. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me). No amount of source-level verification or scrutiny will protect you from using untrusted code.”

FacebookTweetLinkedIn
Tags: codeFlawVulnerability
ShareTweetShare
Previous Post

US Drags In Cyber Defenses

Next Post

China charged by US Government – industry views

Recent News

Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023
Threat actors launch one malicious attack every minute

Threat actors launch one malicious attack every minute

January 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information