Borrowed codes, lack of skills, help hackers make merry with software bugs
On November 24 Chen Zhaojun, a security researcher who was part of the Alibaba Cloud Security team, alerted the Apache Software Foundation about a critical vulnerability in a widely-used logging software called log4j 2. The vulnerability was made public on December 9 and patches were subsequently released by the foundation.
Cybercriminals, however, were quick to take advantage of the loophole and have intensified attempts to identify applications and servers that may be vulnerable and could be exploited to carry out credential theft or ransomware attacks. Attackers have already made attempts to exploit the log4j 2 vulnerability in 41% of Indian organizations, as per Check Point Software, a cybersecurity firm.
Log4 Shell, however, is just one of the many software vulnerabilities that have been reported this year. According to a Hacker One report, published this month, 66,547 software bugs were detected in 2021. This is 21% higher than the previous year.
“Software vulnerabilities are bugs or mistakes that could be exploited by threat actors to execute a cyber-attack. One of the reasons we encounter so many software vulnerabilities is the sheer number of applications produced today compared to a decade ago,” said Ashwin Ram, cyber security evangelist at Check Point Software. An increase in application development means an increase in attack surface as every app with a vulnerability is a potential target for attackers.
“Most modern software will have multiple zero-day vulnerabilities in them,” cautioned Tushar Richabadas, senior product marketing manager- applications and cloud security at Barracuda, a cybersecurity firm.
Security experts feel the growing emphasis on borrowing codes from third-party libraries without vetting them properly instead of writing them from scratch are some of the red flags that have contributed to the problem.
“DevOps has changed. A few years back developers used to write 80% of the codes while 20% was borrowed from libraries. It's exactly reversed right now. Developers are hardly doing any coding and software development is all about these libraries with pre-baked codes,” said Huzefa Motiwala, director, systems engineering- India and SAARC at Palo Alto Networks, a cybersecurity company.
Motiwala feels developers should adopt a shift-left approach and embed security at every stage of the development cycle, especially at the point when they are borrowing codes. He has a point. After the pandemic, dependence on third-party code libraries has skyrocketed, especially in emerging markets such as India that is already facing a severe shortage of tech professionals including skilled programmers.
A case in point is CodeCanyon, one such library, which saw revenue from India grow by 184% year-on-year (YoY) last year after the pandemic started and businesses in India were forced to build an online presence.
This, however, does not mean that all third-party code libraries necessarily have vulnerable codes. However, Ram cautioned that threat actors often use open-source codes as a delivery mechanism for backdoors into applications. “This is why a zero-trust mindset of ‘never trust, always verify’ must also be extended to software development,” he added.
This is also linked to the fact that these days applications are developed, published and updated at a much faster speed than they were a few years ago. Post pandemic, businesses have been under enormous pressure to rush products to market. Ram laments, “businesses also expect applications to be published quickly, perhaps to capitalize on competitive advantages with faster time-to-market. This, in turn, can further push the publications of half-baked applications.”
Complexity and scale are some of the other factors that have increased the risk. According to Motiwala, everything is an application programming interface (API) in today's world. Any security misconfiguration can make it easier for attackers to exploit. Similarly, in large scale applications, it is impossible to manually identify a bug. This can be addressed by simultaneously using machines to scan for vulnerabilities every time a new piece of code is added.
In many instances, a software vulnerability is triggered by the limitations of the programming language being used. The buffer overflow vulnerability that was exploited by attackers to target WhatsApp users with Pegasus spyware in 2018 is specific to the widely sued C or C++ languages. Many of the developers are now turning to the more security-oriented programming languages such as Rust that was developed to prevent memory-related vulnerabilities specifically.
Further, organizations should also ensure that developers are trained and equipped to secure codes. Laying down guidelines can also go a long way in building secure software. “Detecting vulnerabilities, especially low-hanging ones, becomes easier when there are guidelines and processes in place to build upon,” said Richabadas.
Richabadas added that Indian organizations have a long way to go, especially small- and medium-sized enterprises. The smaller an organisation is, the lower is their priority is for security, outside of regulated industries like finance. Ram noted that some organisations are investing in appropriate security controls, but still not configuring them correctly.
That said, security experts concur that organizations and product teams need to embrace security as part of their company's DNA and not an afterthought.