By: Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group
When I was a kid, I went on long car trips with my family in the summer. After hours of driving, crossing a state line seemed like a big deal. I eagerly watched out the window for the “Welcome to…” sign, but I was always disappointed when the state we entered looked very much like the state we exited.
Growing up was the same kind of experience: Each birthday, I did not feel any different, even though I was a whole year older.
If you cross enough state lines, or have enough birthdays, eventually you can see that you’ve arrived in a different place.
Organisations have the same kind of experience with cyber security. You might have a romanticised vision of how cyber security will be implemented — maybe you have plans for a giant room carved under a mountain, filled with dozens of giant screens showing furiously scrolling code and the paths of incoming attacks on a giant map.
In reality, you’ll take many small steps to fully integrate security into your organisation, and sometimes it won’t seem like anything is happening. Unfortunately, massive underground control rooms are not actually useful in cyber security, but if you keep making consistent progress, you will eventually arrive in a new state where your risk is significantly lower.
Doctors use a variety of tools to help you minimise your risk of illness or death. A doctor assesses your health using blood pressure, pulse rate, body mass index, and other measurements. Detailed information is obtained from X-rays, MRIs, blood tests, and other tools.
To treat risks or illnesses, the doctor will recommend good diet, exercise, and other healthy habits, not to mention various types of medications.
You will never hear a good doctor saying, “Just take a spoonful of this cure-all every day and you’ll feel great.” Cure-alls don’t exist, and anyone trying to sell one is lying.
No one tool does it all
It is the same story in cyber security. No one tool does everything, and no “easy button” exists that will magically lower your risk and keep you safe.
To stay healthy and reduce your risk of illness or disease, you eat well, you exercise, you wash your hands after using the bathroom, and so forth. For some people, this is a transformation — if you’ve never really thought about the way you eat, then switching to a healthy diet means changing your habits and maybe readjusting your priorities and schedule.
Similarly, the processes and tools that reduce cyber security risk are well-known. Nevertheless, implementing a cyber security program can be transformational for some organisations. If you’ve always allowed your employees simple password access to internal systems, then implementing more secure two-factor authentication will be hard at first. If you’ve always allowed your developers to use whatever third-party components they need for functionality, then implementing proper software supply chain management will be an adjustment for everyone. If you’ve acquired software based solely on features and price, then adding security and risk assessment to that process will take significant effort.
Meet the power tools of software security
If a single tool won’t magically fix everything, then what’s in the toolbox?
Source analysis (or static analysis) tools analyse your source code and report on probable bugs. In essence, this is the automated version of code reviews, in which a developer or a team of developers reads through source code and looks for errors. Tools range from simple string matching (think grep) to sophisticated control flow analysis and data taint tracing. Coverity is an industry-leading source analysis tool.
Supply chain analysis tools examine the software components you have used. Although it is quick and convenient to assemble software from third-party components, these components carry their own risks. Software components have their own vulnerabilities and also include usage licenses, whose terms might be incompatible with your product or business model. Using a supply chain analysis tool gives you visibility into your supply chain and enables you to minimise the risk of your third-party components. Black Duck is the premier supply chain analysis tool.
For web applications, interactive application security testing (IAST) tools analyse your application as it is running to uncover security vulnerabilities. Advanced features include the ability to verify vulnerabilities and automatically recognise fixed vulnerabilities. Synopsys’ innovative IAST tool is Seeker.
A fuzz testing tool sends intentionally malformed inputs to an application to see what kinds of failures can be triggered. Fuzzing is a favoured technique for attackers seeking vulnerabilities. Proactive fuzzing during development results in more secure, safer, and more robust products. The industry-leading network protocol and file format fuzzer is Defensics.
It’s worth the effort
We’re humans, which means we want to believe. We want to believe that we can eat and drink whatever we want without getting sick. We want to believe that we can take a magic medicine that will keep us healthy. We want to believe that we can buy a single tool that will keep us safe from cyber attacks.
Healthy living and cyber security are not products but processes. It is never easy to change habits, but the long-term payoff of reduced risk is worth the short-term effort.