There’s insecure software, and then there’s insecure code samples available online in open source, Web forums, developer manuals, and even university materials. A brand-new project quietly launched last week aims to eradicate this source of bad code, which feeds into the cycle of insecure software development.
The Eliminate Vulnerable Code Project (eVc), the creation of Seattle-based security vendor Digital Security (DigitSec), is a community-driven effort where participants root out insecure code samples found online, and specifics of the vulnerabilities are available only to members of the project. Among the organizations in discussion with eVc for possible collaboration is the Open Web Application Security Project (OWASP).
“Our hope is to eliminate examples or citations of vulnerable code,” says Waqas Nazir, chairman and CEO at DigitSec. “If someone uses vulnerable code from a Web forum, a document, or an open-source project, they have most likely put themselves up to [being at risk] of an attack or exploit.”
His own company, which among other things conducts penetration testing, sees this problem firsthand. “As a company, we’ve been able to break into a lot of systems using open-source projects, which are known to have certain vulnerabilities,” he says.
Nazir says the eVc project stops short of fixing the code.”Our end goal is not to make any project or website look bad. Our goal is to create a safer software development environment,” he says. “We see a lot of bad examples of source code on Web properties and even in books used to train developers.
“We will provide a digest of reports to the site/owners alerting them of the issues contributed by the community. There will be no direct reference to an existing product where the code is actually in use, so there is no concern of making this available [publicly].”
The Project will employ “crawler” tools to detect flawed lines of code, as well as use other forums and submissions from contributors. “We hope to basically collect everything that gets reported and make it available,” he says.
EVc is currently in discussion with several potential sponsors and will also rely on members from websites, universities, and open-source projects who will work with the site to get the vulnerable code removed or fixed.
Insecure code is posted to forums and other sites every day, and it’s a massive problem that’s difficult to solve, security experts say.
“Introducing software vulnerabilities via code reuse is an age-old problem. Every day, insecure code is posted to forums like Stack Overflow, and unsuspecting developers copy and paste it into their projects without fully understanding how it works or what coding flaws may be present,” says Chris Eng, vice president of research at Veracode.
Eng says attempting to wipe out bad sample code is a “worthwhile goal,” but the problem is so huge that an approach like EvC ultimately isn’t scalable enough to handle it. “Even if we set aside open source projects, books, and other sources, the amount of code being posted to Web forums alone is tremendous, and it’s increasing at a rate that far outpaces the bandwidth of qualified application security experts,” Eng says.
Prutha Parikh, a security researcher with Qualys, says the eVc Project appears to be in the same vein as a risk she recently discovered, where scripts or software comes bundled with production-grade software, leaving customers at risk.
[ Security researchers have reported spikes in mass SQL injection attacks of late that take advantage of very common vulnerabilities in the way that Web applications interact with back-end databases. See Mass SQL Injections Spike Again. ]
“EVc focuses on buggy software that comes from books, training material, and unmaintained software, and it finds its way in production software. My blog on ‘Risks of Vulnerabilities in Example Scripts Bundled with Software’ is in a similar spirit, but focuses on example scripts or software that comes bundled with production-grade software instead,” she says.
She recommends that vendors remove these supporting files and scripts when they ship their software. These not-ready-for-prime-time scripts can include programming examples, help files, and other scripts for installation and configuration. “The actual software may be security-hardened, but many times these supporting files contain vulnerabilities,” Parikh wrote in her blog post.
The eVc Project, meanwhile, has more than a handful of contributors as of this posting and already has logged around 15 vulnerable code samples, such as SQL injection, cross-site scripting, cross-site request forgery, buffer overflow, format-string, and clear-text encryption key vulnerabilities.
By Kelly Jackson Higgins