Software Development and Security Training
Prior to every DeepSec conference we offer two-day trainings, and we regularly advertise trainings on secure software development. Attending security-centric workshops is really not meant as a humiliation. Modern (and not so modern) software development deals with a lot of code and dependencies. Even if your code is clean and well-written there’s a chance that something you rely on isn’t. This happens a lot with library functions (think DLLs) and thus can happen in high level programming languages, too. A training focussing on security will sharpen your „spider sense“ and you will be able to detect sections of code that can go wrong more easily.
This is also true for reading documentation. Take a look at CVE-2012-2122. In essence you can get access to some MySQL database servers by repeatedly trying to access an account with a password of your choice. When analysing the cause you end up with the memcmp() function of the C library and its return values. It compares the first n bytes of two regions of memory (let’s name them s1 and s2). The documentation says:
The memcmp() function returns an integer less than, equal to, or greater than zero if the first n bytes of s1 is found, respectively, to be less than, to match, or be greater than the first n bytes of s2.
So the result consists of either a negative number, exactly 0 or a positive number. If you evaluate the result and use any other number than 0, then you are in trouble (and it won’t do you any good to blame it on the compiler or the C library in this case). Given proper security training your „spider-sense“ might ring and help you finding the error before it goes into production code. It’s basically the same as getting proficient with a programming language, only the focus and the details are different. And just as in „real programming“ you have to refresh your skills from time to time by looking at coding and code from different perspectives. Welcome to the wonderful world of secure software design!
If your company has anything to do with software development of any kind (either from scratch or by using components), you should keep this in mind. The schedule for DeepSec 2012 will be published in August, right with the trainings.