Software security: between persistent pitfalls and innovative strategies

Software security is a persistent problem that requires a rigorous scientific approach to prevent errors that could skew results. Elisa Bertino, a respected authority on information security at Purdue University, lays out the landscape of that challenge. His study, "The persistent problem of software insecurity", highlights how insecurity remains a persistent problem despite increasing digitization in various sectors. Notable examples of this digital transformation include the "softwareization" of computer networks, the development of mobile applications and systems for the cloud. Despite attempts to fix the problem with patching, the insecurity seems to be more ingrained and structural.

The analysis techniques for checking the security of the code

To identify and measure the insecurity of the code, Professor Bertino's team carries out different types of analyzes on the source and/or object code. These tests try to detect defects, or bugs, that could become exploitable vulnerabilities by hackers. Their work considers various types of defects and uses different analysis tools depending on the type of vulnerability. Techniques include static and dynamic code analysis, code slicing, and even machine learning techniques. In some cases, they combine these techniques; for example, in recent work that aimed to identify memory management errors in open source programs, they used a combination of Natural Language Processing (NLP) and static analysis.

The challenges of security in digital places

With the adoption of digitization, programming code-based technology has infiltrated every aspect of daily life. This has led to the exponential growth of software in terms of networks, protocols and enabling applications. However, the categories of software most at risk for programming flaws have not been adequately tested or investigated, resulting in limitations. One area of particular interest to the Bertino team concerns communication protocols for 5G and next-gen cellular networks. These protocols are complicated and often specified in natural language, making them informally defined and prone to inconsistencies and implementation errors.

The disturbing persistence of code insecurity

Digital has permeated every aspect of our lives, from mobile apps to drones and open source software. However, as Bertino found in an analysis of more than 13,000 mobile applications, approximately 18% either incorrectly checked the certificate sent by the server or did not check it at all. The threat of SQL injection attacks also persists. Despite growing awareness of the need for better software security, many applications developed in recent years are still insecure. This requires ongoing efforts to improve patching and testing techniques, as well as the implementation of automated patching management tools. Artificial intelligence can play a key role in this, although it's important to ensure that AI systems are trained on high-quality code.

Global software insecurity can be attributed to a number of factors, including lack of vendor accountability, inadequate training of software engineers and developers, and the use of insecure programming languages. It is important to remember that although digitization can bring significant benefits, such as the simplification of work processes and the efficiency of production cycles, it also requires an investment to manage its consequences, including the implementation of data protection techniques such as encryption and multi-factor authentication.