Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Posted By: Tim Rains, Director, Trustworthy Computing
In the past I’ve said a perfectly operated cloud service that has vulnerabilities in it due to lackluster development processes isn’t going to help protect the data that cloud customers store and process in the cloud. As reported in the latest volume of the Microsoft Security Intelligence Report that was released just last week, the number of vulnerability disclosures across the entire software industry, including online services, has continued to trend down. Although this trend is heading in the right direction, it still means that there are thousands of software vulnerability disclosures every six months across the entire software industry.
Figure (below): Industry-wide vulnerability disclosures, the first half of 2009 (1H09) to the second half of 2011 (2H11);
Figure (below): Industry-wide operating system, browser, and application vulnerabilities, the first half of 2009 (1H09) to the second half of 2011 (2H11)
As seen in the graph above, the vast majority of these vulnerabilities are in applications, a number that includes disclosures in cloud services and traditional “boxed” software products. Disclosures in application vulnerabilities increased 17.8 percent in the second half of 2011 (2H11).
You might be wondering what a vulnerability in code looks like? To illustrate how subtle a security vulnerability can be, the following small code sample contains a vulnerability that is difficult to find using code reviews or tools or both.
bool fAllowAccess = true;If (AccessCheck(...) == 0 && GetLastError() == ERROR_ACCESS_DENIED) fAllowAccess = false;
In this real-world example, the developer who wrote the code intended to have the code check whether the user running the program should be denied access to the program or if they should be granted access. The problem in this code is that the function (AccessCheck()) that the developer is using to decide whether to grant access to the user, can fail for many reasons, many of which are not conditions related to denying access. For example, if the application runs out of memory for any reason during this operation, the function could return an “out of memory” error instead of the “access denied” error that the developer was expecting. Because the developer only checks for an “access denied” error, this code will grant access to the user if any error other than “access denied” error is returned. This is, therefore, a vulnerability that could potentially be exploited if an attacker could create the right conditions.
Can’t firewalls and other security controls mitigate the risk posed by such vulnerabilities? I asked Dennis Hurst, Enterprise Security Products District Manager at HP and Cloud Security Alliance member, to share his view on whether cloud providers could address these types of vulnerabilities using the type of operational security controls that seems to be the center of attention in the current public dialog around cloud security. Dennis told me “If you don’t create an application that’s secure from the start it’s very, very difficult to take that and operationally secure it.”
Dennis shares his perspective on the importance of secure development practices for cloud services in this segment of the Trustworthy Computing Cloud Fundamentals Video Series.
If you haven’t seen the other videos in this series, you can see them using the links out below:
Cloud Fundamentals Video Series
Please check back on this blog regularly as we continue the Cloud Fundamentals Video Series and explore topics that are important for IT professionals and business decision makers who are interested in cloud security, privacy, and reliability.