Home » Data Protection » Application Security

Patching Software: The Big Fix

Insecure software is forcing vendors to do what they've never done before: make good software

"It's been a big change," he says. "We still get a lot of [customers saying], We're shipping in a week. Could you look at the app and make sure it's secure? But we're seeing more clients sooner in the development process. Security always was the thing that delayed shipment, but they've started to see the benefitsbetter communication between developers, creating more robust applications that have fewer failures. The truth is, it doesn't take that much longer to write a line of code that doesn't have a buffer overflow than one that does. It's just building awareness into the process so that, eventually, your developers simply don't write buffers with unbounded strings."

In fact, it's a little more complicated than that. Even if, starting tomorrow, no new programs contained buffer overflows (and, of course, it will take years of training and development to minimize buffer overflows), there's billions of lines of legacy code out there containing 300 variations on the buffer-overflow theme. What's more, in a program with millions of lines of code, there are thousands of instances of buffer overflows. They are needles in a binary haystack.

Fortunately, some enterprising companies have built tools that automate the process of finding the buffers and fixing the software. The class of tool is called secure scanning or application scanning, and the effect of such tools could be profound. They will allow CSOs to, basically, audit software. They've already become part of the security auditing process, and there's nothing to stop them from becoming part of the application sales process too. Wysopal tells the story of a CSO who brought him a firewall for vulnerability testing and scanning. When a host of serious flaws were found, the customer literally sent the product back to the vendor and, in so many words, said, If you want us to buy this, fix these vulnerabilities. To preserve the sale, the vendor fixed the firewall.

Strong contracts are making software better for everyone. According to @Stake research, vendors should realize that there's an ROI in designing security into software earlier rather than later. But Wysopal believes that's not necessarily the only motivation for companies to improve their code's safety. "I think they also see the liability coming," he says. "I think they see the big companies building it into contracts."

A contract GE signed with software vendor General Magic Inc. earlier this year has security officers and experts giddy and encouraged by its language (see "Put It in Writing," this page). In essence it holds General Magic fully accountable for security flaws and dictates that the vendor pay for fixing the flaws.