While errors and bugs in coding technology may not always be harmful, many of them can be exploited by bad actors and result in vulnerabilities. Bad actors can leverage vulnerabilities to get the software to act in unexpected ways, potentially impacting the performance and security of the software. This could also give untrustworthy agents access to confidential customer data and products, potentially damaging business reputation.
However, thousands of code vulnerabilities are discovered, patched, and publicly disclosed every year to improve security for current and potential users. Finding code vulnerabilities is not only an intellectual challenge for ethical researchers but also allows them to examine real-world cases, test and refine rules, and enhance products. In addition, vulnerability reports assist in keeping users and affected businesses safe.
Therefore, it is important to have resources dedicated to this effort. This article will discuss top vulnerabilities discovered in widely-used applications, the commonalities amongst these vulnerabilities, and how clean code practices from the ground up can prevent vulnerabilities from entering their apps and services in the first place.
Discoveries in Popular Applications
WordPress is utilized by almost 40% of all websites and is the most widely used content management system in the world. Thanks to its simplicity, millions of users can host their blog, eCommerce site, or static website. In the past, a number of security hardening measures have been added to WordPress’s code base to safeguard its users. However, an Object Injection vulnerability was recently found, which is a code vulnerability that allows attackers to insert PHP objects of any type into the application to then use it to alter the application’s logic at runtime. This could also allow an attacker to perform different kinds of malicious attacks or even lead to a full site takeover.
Another vulnerability discovered was in Zimbra Email, a popular webmail solution similar to Microsoft Exchange. According to its website Zimbra is used by over 200,000 enterprises, universities, and financial and government institutions around the globe. With the solution’s mail servers, load balancing features, and a powerful web interface, users can log in to their Zimbra mail accounts to read and send private emails. Ethical researchers discovered a Memcache Injection in Zimbra which lets an attacker target and steal login information from users of a targeted Zimbra deployment. With mail access, attackers may be able to get access to various internal systems and take extremely sensitive data. They can also change passwords, pose as their victim, and listen in on every private conversation within the targeted business.
Commonalities in Code Vulnerabilities
Security vulnerabilities are ubiquitous. Even complex, hardened code-bases can contain potentially serious flaws. However, there is one commonality in many exploited vulnerabilities – most security vulnerabilities are in the source code of business applications, and many of these security issues can be discovered early during development.
Developers today are doing a great job of delivering new and enhanced features to meet the demanding time-to-market requirements. In this role, they ensure that the code they develop is functional, performant, and error-free. Today, most organizations require code security checks to be closely governed by security champions where these checks are usually performed in later stages of the development workflow. The effect of this delay means that issues discovered later (or missed completely) add long feedback loops to the developer. This requires developers to switch their current context to focus on fixing issues long after they’ve committed their original code. As a result, product time-to-market and developer productivity take a direct hit.
The “Clean as You Code” Approach to Writing Secure Code
The “clean as you code” approach addresses security at the core, when code is being written, and provides developers with the tooling and education they require to deliver quality, secure code. Code that is not adequately maintained, reliable, or of lower quality is susceptible to security issues. There is no one better positioned to fix issues in code than the developer actively working on it.
When security considerations are part of the development workflow and are addressed up front, the overall burden on security and development teams reduces significantly, as fewer issues reach final security checks. This means no more after-the-fact costly rework and lengthy feedback cycles. The result is a streamlined and efficient approach to handling code security.
To conclude, vulnerabilities in source code can be detrimental to an organization’s reputation. Adopting simple, non-disruptive clean code best practices can help organizations mitigate threats, combat the problem of vulnerabilities recurring in code, and extend the lifetime of their business application as a result.
Johannes Dahse is head of R&D at SonarSource