Worst languages for software security

I was sent an article about program languages that generate most security bugs in software today. The article seemed to refer to a report by Veracode, a company I know well, to discuss what software security problems are out there in applications written in different languages. That is an excellent question and a very interesting subject for a discussion. Except that the article really failed to discuss anything, making instead misleading and incoherent statements about both old-school lnguages like C/C++ and the PHP scripting. I fear we will have to look into this problem ourselves then instead.

So, what languages are the worst when it comes to software security? Are they the old C and C++, like so many proponents of Java would like us to believe? Or are they the new and quickly developing languages with little enforcement of structure, like PHP? Let’s go to Veracode and get their report: “State of Software Security. Focus on Application Development. Supplement to Volume 6.

The report includes a very informative diagram showing what percentage of applications passes the OWASP policy for a secure application out of the box grouped by the language of the application. OWASP policy is defined as “not containing any of the security problems mentioned on the OWASP Top 10 most important vulnerabilities for web application” and OWASP is the accepted industry authority on web application security. So if they say that something is a serious vulnerability, you can be sure it is. Let’s look at the diagram:

Veracode OWASP by language 2016-01-18-01

Fully 60% of applications written in C/C++ come without those most severe software security vulnerabilities listed by OWASP. That is a very good result and a notable achievement. Next, down one and a half to two times, come the three mobile platforms. And the next actual programming language, .NET, comes out more than two times as bad! Java is 2 and a half times as bad as C/C++. The scripting languages are three times as bad.

Think about it. Applications written in Java are almost three times as likely to contain security vulnerabilities as those written in C/C++. And C/C++ is the only language that gives you a more than 50% chance of not having serious security vulnerabilities in your application.

Why is that?

The reasons are many. For one thing, Java has never delivered on its promises of security, stability and uniformity. People must struggle with issues that have been long resolved in other languages, like the idiotic memory management and garbage collection, reinventing the wheel on any more or less non-trivial piece of software. The language claims to be “easy” and “fool-proof” while letting people to compare string objects instead of strings with an equal operator unknowingly. The discrepancy between the fantasy and reality is huge in the Java world and getting worse all the time.

Still, the main reason, I think, is the quality of the developer: both the level of developer knowledge, expertise, as it were, and the sheer carelessness of the Java programmers. Where C/C++ developers are actually masters of the software development, the Java developers are most of the time just coders. That makes a difference. People learn Java in all sorts of courses or by themselves – companies constantly hire Java developers, so it makes sense to follow the market demand. Except that those people are kids with an ad-hoc knowledge of a programming language and absolutely no concept of software engineering. As opposed to that, most C/C++ people are actually engineers and they know much better what they are doing, even when they write things in a different language. But the “coders” are much cheaper than real engineers, so the companies developing in Java end up with lots of those and the software quality goes down the drain.

The difference in the quality of the software is easily apparent when you compare the diagrams for types of the issues detected mostly from the same report:

Veracode Problem Areas 2016-01-18

You can see that code quality problems are only 27% of the total number of issues detected in the case of C/C++ while for Java code the code quality issues represent the whopping 80% of total.

Think again. The code written in Java has several time worse quality than the code written in C/C++.

It is not surprising that the quality problems result in security vulnerabilities. Both quality and security go hand in hand and require discipline and knowledge on the part of developer. Where one suffers, the other inevitably does as well.

The conclusion: if you want secure software, you want C/C++. You definitely do not want Java. And even if you are stuck with Java, you still want to have C/C++ developers to write your Java code because they are more likely to write better and more secure software.

GAO report on cybersecurity in Air Traffic Control is outright scary

aircraft-networksThe fact that the modern aircraft can be controlled from the ground is not widely publicized but known. There was though a lot of controversy, including among specialists, about how much of control could be intercepted by unauthorized 3rd parties. Well, now the extent of the problem is confirmed officially.

The U.S. Government Accountability Office (GAO), which is also called “watchdog of Congress”, usually oversees the federal government for the expenditure of public funds. However, the 56-page report “Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen» (copy) published on April 14  tells a very interesting but scary story. For a document that is not classified as “secret”, in any case.

Apparently, the computers on board of contemporary aircraft could be susceptible for break-in and take over by using the on-board WiFi network or even from the ground. The computer systems that control the airplane communicate with each other and the systems on the ground using IP networking technologies and connecting through the same networks that are used on board for entertainment. This opens the aircraft control networks to a wide range of security threats.

FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems.

The “solution” entertained by FAA includes setting up a firewall to separate the operations network from that of “visitors”. And we all know it’s not going to help, we are past that point long ago. General purpose IP firewalling does not really correspond to the level of threat sophistication of today. The GAO report tells as much: “Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented.” Which means that the access to the cabin could be obtained from the same network being used by the passengers or even from a remote location outside the aircraft.

These networked systems are present in all modern airplanes, including Boeing 787, Airbus А350 и Airbus А380. Currently, the FAA certification of the aircraft does not include any cybersecurity assessment, so the security of the airplane systems is left to the discretion of the manufacturer. Until now, other security measures generally prevented the malicious actors from doing any harm to the airplane but the new threats that arise from networking and software-driven operation are not taken into account.

According to the CNN, the government investigators that wrote the report concluded that it would be possible for someone equipped with only a laptop to:

  • Commandeer the aircraft
  • Put a virus into flight control computers
  • Jeopardize the safety of the flight by taking control of computers
  • Take over the warning systems or even navigation systems

Basically, it is as bad as it gets. The flight systems are not protected as they are all legacy from the previous non-networked age and developed by the same people that developed the previous generations of systems. The only protection is the firewall that separates the cockpit from the rest of the world but that is a slight consolation.

They should put a sign at the airport: “Fly at your own risk”.

It is also really strange that this information is published at all. The Federal Aviation Administration is a governmental body of USA. United States of America, at least officially, are in a state of so-called “war on terror”. At such a time, when an investigative authority finds out some possibility for terrorists to execute attacks, such information is, I assume, immediately classified and the problem is solved between the government and the company quietly.

But at the moment this looks as if the US government strongly suggests to the terrorists: “why do you expose yourself to unnecessary risks trying to smuggle explosives on board, while there is a proven method to achieve the same results by connecting to the airplane control system with a laptop?”

Typically, in such cases, even the noble task of warning the public about the dangers of the situation is not taken into account. What should the audience do with it, anyway? Panic and do the ticket office run trying to cancel all reserved flights? Stage a mutiny on board, requiring immediate emergency landing? Or just remember that from this point on the use of air transport is at your own risk?

Unfortunately, it feels more like if US has planned to stage a series of new terrorist attacks against international air traffic that must be attributed to whomever finds this information useful.

Anyway, the illusion of safety of international air traffic is now officially dispelled. Fly at your own risk. Oh, and you are still not allowed to carry that bottle of mineral water on board.

Heartbleed? That’s nothing. Here comes Microsoft SChannel!

microsoft_securityThe lot of hype around the so-called “Heartbleed” vulnerability in open-source cryptographic library OpenSSL was not really justified. Yes, many servers were affected but the vulnerability was quickly patched and it was only an information disclosure vulnerability. It could not be used to break into the servers directly.

Now we have Microsoft Secure Channel library vulnerability (“SChannel attack”) that allows an attacker to easily own MS servers:

This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.

This vulnerability in Microsoft TLS is much more serious as it allows to take over the control of any vulnerable server remotely by basically simply sending packets with commands. Microsoft admits that there are no mitigating factors and no workarounds, meaning if you did not install the patch, your server is defenseless against the attack. Windows Server 2012, Windows Server 2008 R2 and Windows Server 2003, as well as workstations running Vista, Windows 7 and Windows 8 are all vulnerable.

This is as critical as it gets.