DeepSec 2018 Talk: Uncovering Vulnerabilities in Secure Coding Guidelines – Fernando Arnaboldi
Several government-related and private organizations provide guidance on how to improve the security of existing software as well as best practices for developing new code. These organizations include the Computer Emergency Readiness Team (CERT) Secure Coding Standards, Common Weakness Enumeration (CWE), Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) Software Assurance Metrics.
Fernando’s talk will expose multiple underlying exploitable vulnerabilities in the secure code that follows the recommendations from each of these organizations. Even though these guidelines were created to improve software security, they may also inject side vulnerabilities due to a lack of proper analysis.
Within secure code snippets, reviewed by many and considered trustworthy by all, are issues that attackers could exploit to escape secure directories, abuse insecure hashing and encryption practices, or even expose applications to SQL injection attacks among others.
We asked Fernando a few questions about his topic of expertise.
Please tell us the top 5 facts about your talk.
- Secure coding guidelines may introduce vulnerabilities.
- Insecure practices range from insecure configurations to insecure implementations.
- Insecure recommendations are published by government, private and public organizations.
- The unwanted behaviours are a consequence of insecure and complex functionalities in software.
- Not all of the vulnerabilities will be detected by static source code analysers.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Last year I analyzed how applications could defend themselves from attacks. To expose how the most secure applications could use an approach like this, I analyzed if it could be implemented on secure coding guidelines. When presenting my embedded defense talk at Ruxcon (2017) and OWASP (2018), I exemplified how attackers could bypass secure code snippets from secure coding guidelines.
Why do you think this is an important topic?
It is a funny oxymoron that there are vulnerabilities in the recommendations of secure coding guidelines.
Is there something you want everybody to know – some good advice for our readers maybe?
We need to start to perform peer reviews on the secure coding guidelines that we use and restrict insecure functionalities in software.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Programming languages will start including less insecure functionalities. Restricting the existence of potential vulnerabilities and insecure functions will be more effective than analyzing what not to do.
Fernando Arnaboldi is a developer and a security consultant who specializes in penetration testing and code reviews on multiple platforms. He has focused his research on how programming languages can be used to exploit vulnerabilities and defended applications. He has presented his findings at security conferences such as Black Hat USA & Europe, DEF CON, OWASP AppSec USA & Europe, Ruxcon and HITB.