Why is Commercial Software So Vulnerable and How

Why is Commercial Software So Vulnerable (and How Can We Fix It)? Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

State of Things Today • Many vulnerabilities in commercial software • Typical vendors release dozens of fixes annually • No indication this is improving Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

Kinds of Vulnerabilities • Design Flaws • Implementation Flaws Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

Design Flaws • Occur when software is planned and specified without proper consideration of security requirements and principles • Examples: – Cleartext passwords – Weak or proprietary cryptography Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

Design Flaws • Why do Design Flaws happen? – Rushed engineers – Ignorance of security requirements or principles • Fortunately, software designs are improving! Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

Design Flaws • As Design Flaws are found, they are fixed in future releases • But. . . • These can be deeply ingrained, architectural issues • Industry is moving in the right direction • Design Flaws are a minority of the security bugs we see Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

Implementation Flaws • Occur when software developers make a mistake when coding software • (Just like other bugs, but some have serious security implications!) • Implementation Flaws are independent of design Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

Implementation Flaws • Examples: – Buffer overflows – Integer over/underflows – SQL Injection – Format string Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

Implementation Flaws • Why do Implementation Flaws happen? • Human error • We cannot eliminate human error, but we can do more to minimize it • Most serious security bugs are due to these careless mistakes Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

How Can We Improve? • Education – Not every developer can be a security expert – Every developer must understand security fundamentals • At Oracle, we have had success with a webbased, on-demand secure coding training class Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

How Can We Improve? • Individual accountability – Education makes people accountable! – Hold developers accountable for writing quality code. • Automated tools • Power of the consumer Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005

The End • Any questions? Adam L. Jacobs, CISSP Principal Program Manager, Oracle 14 October 2005