As most code is derived from code bases, if you only test your own code, you are missing a large part of the attack surface.
Speaking to IT Security Guru, Chris Eng, vice president of security research at Veracode, suggested that most software is not written entirely from scratch; only ten per cent of code is, and 90 per cent comes from other libraries and products, such as OpenSSL for example.
Eng said that as data breaches are getting tied to the application layer more and more, with such a small percentage of application code being written in-house there is a lot of vendor code that is being exploited.
“Look at the Verizon report and what was attributed to SQL Injection and application layer hacking,” he said. “Often it is in a component that you included, and I think a growing concern is CISO realise it is a major part of the risk profile and trying to bring it under control.”
“Focus on third party apps and test at the point of enterprise so you know what you are facing. In the last year or two this has been a more programmatic approach, but now we are focusing on the CISO and procurement to incorporate language, scanning and security rigour into the process.”
David Harley, senior research fellow at ESET, told IT Security Guru that he completely agreed with Eng, and that he could not think of any substantial coding project that he had worked on where he had not made heavy use of pre-existing code libraries.
He said: “Not that I was ever a career programmer, but a systems administrator needs to be able to handle a compiler. If I was still doing that sort of thing, I’d be even more scrupulous now about examining library source code, not just reading the documentation on how to call routines from it.
“However, the complexity of modern software makes it all but impossible to check every byte of the libraries and APIs you use.”
Harley cited Ken Thompson’s paper “Reflections on Trusting Trust”, which he said was published in 1984, but was still very much to the point.
“As Thompson said in his conclusion/moral. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me). No amount of source-level verification or scrutiny will protect you from using untrusted code.”