Want secure software? Break it first

By Michelle Davidson, Site Editor 08 Jun 2006 | SearchAppSecurity.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

BALTIMORE -- If you think like a hacker, you can better protect your software.

That was the main message at this week's Secure Software Summit. Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University, in particular, emphasized that concept during his keynote address on breaking security systems.

"If you just make systems and don't break them, you don't know how to think like a hacker," Rubin said.

Rubin, author of the books Web Security Sourcebook, White-Hat Security Arsenal and the upcoming Brave New Ballot, told the nearly 100 conference attendees about the benefits of breaking systems. For him and many other security testers, the best part is that it's fun.

A hacker has to be right only once. A builder has to anticipate all types of attacks. Avi Rubin Technical director of the Information Security Institute, Johns Hopkins University

"It's interesting and challenging, and it teaches you how to build systems more securely," Rubin said. "People who make the thing think I'm a troublemaker and I'm just trying to make a name for myself."

In reality, however, it keeps companies honest, he said. They don't want to see their names in news reports.

Rubin acknowledged that it's significantly easier to break a system than to build a secure system. "A hacker has to be right only once. A builder has to anticipate all types of attacks," he said. "The consequences of building a bad system are worse than the consequences of a bad attack."

Knowing that, builders have to outline threats at the start of software development. "When building a system, security doesn't mean anything without a threat model," Rubin said.

In addition, many decisions need to be made: What protocols and algorithms should be used? What effect will security have on performance? How do you measure security?

It's a challenge to securely design software, as even if you think it's secure there can be errors upon implementation and the threat model could be wrong, Rubin said.

Other ways things can go wrong:

• Bugs in the code
• Poor administration
• Malicious insider threats
• Unrealistic assumption of attackers

If a vulnerability is discovered
In some cases, people discover vulnerabilities accidentally. In other cases, however, researchers consider it a challenge to break systems. Regardless, people need to report the issue to the vendor directly, Rubin said.

"It is the responsible thing to go to the vendors first," he said. "They may deny [the vulnerability], but you need to do that."

Rubin explained how he and his graduate students at Johns Hopkins discovered how to break the TIRIS system, Texas Instruments Registration and Identification System. These are RFID chips that are used in 150 million vehicle keys as immobilizers and in the Exxon Mobil Speedpass.

Thinking like a hacker Misuse cases: Understanding the hacker's approach Keep the bad guys out: Build security into the SDLC Breaking software easier than you think

The students spent several months trying to re-engineer the cipher. They eventually broke the circuit and were then able to think of several ways to break the system, Rubin said. One thing they did was figure out how to use a regular key to start a car that requires a chip-enabled key to start it. In addition, they were able to scan a person's Speedpass, take that information and use it to purchase gas.

"Once they knew the key, they could fool a reader and spoof a valid tag to buy gas and start a car," he said.

Rubin told Texas Instruments and Exxon Mobil about the system break and that he wanted to publish a paper on it. The companies didn't believe him and wanted proof that it could be done. Rubin's team proved it and the paper was published.

Security breaks such as that prove that if an attacker has a will, he can find a way. "No useful system is really secure," Rubin said. "Some are just harder to break."

Tags: Threat modeling,  Building security into the SDLC (Software development life cycle),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Threat modeling Web application security and the PCI DSS The essentials of Web application threat modeling How to implement security in Java EE and Java ME Application security shouldn't involve duct tape, Band-Aids or bubble gum Stop SQL injection attacks on applications How to counter XSS attacks Breaking the same origin barrier of JavaScript Protection against "zero-minute" exploits Denial of service and Ajax CSRF attack vector with Ajax serialization Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science'

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary