Few things are as bad as a serious flaw found in the source code of an application at the wrong time. Vulnerabilities in software source code will have damaging impact on the vendor, the service provider and the end user. They incite mistrust and fear and hamper the reputation of developers and publisher. According to a study by Carnegie Mellon University, an approximate 90% of security incidents come from software bugs.
However, it’s both surprising and disappointing to see that developers aren’t putting enough energy in rooting out vulnerabilities from their source code before releasing their software. And I don’t mean small firms and developer studios. I’m talking about the big players as well. Here are four serious flaws found in recent months that definitely could have been discovered and eliminated long before the software went into production and warn us that something has to change in source code reviewing.
Backdoors in Juniper Networks
Last December, tech giant Juniper Networks, which offers service to the likes of AT&T, Verizon, NATO and the U.S. government, announced that it had found two backdoors that had been mysteriously embedded in software running on its firewalls and could be exploited to decrypt protected data passing through its virtual private networks (VPN). The backdoor was made possible thanks to a long-deprecated pseudo-random number generator (Dual_EC_DRBG) Juniper used in its encryption algorithms, an NSA-developed software that is known to have exploitable functions. Bad randomization mechanisms can enable malicious actors to predict key generation sequences.
Hard-coded passwords in FortiOS
Less than a month later, researchers found a different though not-less-critical flaw in source code belonging to Juniper competitor Fortinet. The vulnerability in question was a hard-coded password that would allow remote SSH access to servers running Fotinet’s FortiOS software. Fortinet denied any that its software was compromised by malicious parties and dismissed the bug as being a maintenance issue that has been patched in newer versions of FortiOS. The loophole was a serious enough to be classified as a backdoor by experts, and has been active in versions of the software shipped between 2013 and 2014.
Superhero account hidden in AMX conferencing gear
Earlier this year, AMX, a provider of audio-visual conferencing gear which equips government and military facilities, declared to have removed a “deliberate” backdoor that was discovered by experts at SEC Consult. The vulnerability consisted of an account deliberately hidden in a list of database users – which the manufacturer described as a debugging account – with administrative privileges to AMX devices. The account was initially named after Black Widow, a superhero from Marvel Comics’ Avengers series, but was later renamed to feature DC’s Batman after it was discovered and reported by SEC Consult.
Non-prime encryption keys in Socat
In a more recent case, Socat, the famous open-source network utility widely used by administrators and security professionals, was found to use a non-prime parameter to negotiate encryption keys. Prime numbers are one of the most basic rules of asymmetric encryption algorithms, and omitting them can practically allow hackers to calculate secret keys and decrypt protected communications. This particular flaw was introduced into the program by a source code patch uploaded in January 2015, which means that it had remained in the dark for more than a year.
What’s the lesson
Source code reviewing processes and tools are lacking sorely, and a lot of damage is being dealt because the insufficiencies in these areas. We need a new perspective on testing and debugging applications from a security standpoint, and we definitely need to put an end to the “security as an afterthought mindset.”
I’ll be writing about the solutions in a future article. Until then, code safely and share your comments