ESET researchers have offered programmers a few tips for spotting vulnerable code and how to correct them before they make it into your system.
Copying data, wrong indexes in loops, and integer overflow are common coding mistakes to look out for in open source code and researchers advised programmers to check for portions of the code that are rarely executed as they are more prone to errors, according to a Jan. 30 blog post.
Researchers said the copying of buffer data using functions such as strcpy without performing any check on the size of the copy is one of the simplest scenarios in which vulnerable code can manifest itself. The good news is that these vulnerabilities are unusual and can usually be spotted immediately and corrected by a check using strlen (mechanism) before copying, or by using n bytes copy functions, like strncpy, researchers said.
Wrong indexes in loops can result in more bytes being copied than was intended, and researchers recommend programmers to look for vulnerabilities in loops that parse strings or handle user inputs.
Researchers also warn to look out for Integer overflow bugs can often happen when attempting to avoid an excessive amount of data copying to a buffer.
Most programmers never check open source libraries and modules when they are building applications, Kunal Anand, co-founder and CTO of Prevoty, told SC Media.
“There are many other kinds of issues that programmers should be checking for,” Anand said. “To assist in preventing XSS, programmers sometimes forget to encode input parameters or fail to set modern browser headers (CSP, XSS auditing, etc.). For protecting against SQLi, programmers sometimes forget to use prepared statements AND variable binding over concatenating strings in regular queries.”
Anand went on to say that Java programmers use dependency management tools like Maven, which downloads libraries and that most developers don't bother to check the source code of those libraries.
“As our industry hurdles towards DevOps, the reality is that it's becoming more important yet intractable to find and prevent all vulnerabilities in the software supply chain,” he said. “Ultimately, a runtime application defense and intelligence solution could be able to protect and monitor for these attacks in production environments.”