What steps can developers take to build safer software that is hack-proof? originally appeared on Quora: the place to gain and share knowledge, empowering people to learn from others and better understand the world.
Answer by Alex Rebert, Co-Founder at ForAllSecure, Inc., on Quora:
I’m not entirely sure that building hack-proof software is possible. There are however some steps that developers could take that would make it significantly harder for attackers. The most successful approach I’ve seen has been defense in depth.
The first step is to minimize the number of bugs in your code. Easier said than done, but here are some concrete steps that would help with that:
- Prefer memory-safe language when possible, as that might prevent entire classes of vulnerabilities from being in your software.
- Educate yourself in security a bit if possible. Ideally, you’d know about the common vulnerabilities that could apply to your software: command injection, sql injection, buffer overflow, XSS, CSRF, …
- Test your software. Make sure to test edge cases and sensitive code sections (input parsers, code with elevated privileges)
- Use automated analysis: linting, static code analyses, …
- Fuzz! The attackers certainly will if they get access to your software. This is where a tool like Mayhem can really help.
Now you should assume that all the steps above failed and an attacker has found a bug. The second step is to harden your binary, such that even in the presence of a security bug, it will be harder to exploit:
- Make sure OS defenses are enabled on the system where the software gets deployed.
- Make sure to enable compiler defenses when applicable: stack canaries, PIE, DEP, …
Next, you should assume that an attacker will get code execution, and try to minimize the impact of the attack. At a high level, we want to give the software the least amount of permissions and capabilities that we can. This will allow you to isolate fault and impact. There’s a few ways you can do that.
One successful approach is to sandbox code handling user input: drop privileges, whitelist syscalls that you expect to call and disable others, use namespaces, … Some tools can help with that. For instance, google releasedrecently. Browsers like Chrome use sandboxes, which means you have to chain multiple vulnerabilities: first you need to get code execution in the sandbox, and after that, you have to escape the sandbox. That makes full exploitation a lot harder.
Finally, if you can afford it, I would also recommend a security code audit and/or pen-testing for your sensitive code & systems to make sure nothing was missed.