IBM Rational has written a solid white paper on software security, focusing on improving code reviews. Although I rarely (very rarely) endorse a vendor white paper, this is one that’s worth reading.
Written in December 2009 by Ryan Berg, a senior security architect at IBM, the paper focuses on best practices for examining code for security flaws, and then figuring out how to remediate those flaws. The paper, called “The Path to a Secure Application,” breaks the vulnerabilities into five specific categories, each of which is examined in detail:
• Security-related functions
• Input/Output validation and encoding errors
• Error handling and logging vulnerabilities
• Insecure components
• Coding errors
For each of those vulnerability categories, Berg describes specific instances and offers a list of suspicious code behavior that might indicate problems. For example, for insecure components, he offers that you might have unsafe Java Native Interface methods, or unsupported methods. Suspicious behavior would include raw socket accesses, which could indicate possible backdoors; timer or get-time functions, which might mean triggers; or privilege changes, which might speak to unauthorized access levels within the code.
What’s nice about this paper is that, unlike many that cross my desk, Berg isn’t setting up a paper tiger. He’s not highlighting flaws so that he can say, “Oh, look, IBM sells tools to solve this problem, call us today.” While IBM Rational does offer source-code scanning tools, this white paper ain’t peddling them. Rather, Berg is offering guidelines for making a QA checklist for reviewing source code for secure vulnerabilities. Nicely done!
I wish more white papers were this good and this genuinely educational.