It may seem odd to release a book called “Exploiting Software: How to break code” at a security conference.  But co-authors Gary McGraw and Greg Hoglund did just that at the RSA Conference in San Francisco in February and weren’t thrown out on their ears.  That’s because their real intent is to help people build better code by showing them how attackers work.  Network World Editor in Chief John Dix caught up with McGraw to learn more about the book, which was three-and-a-half years in the making, and follows McGraw’s other books, “Building Secure Software” and “Securing Java.”

Inside you say, “This is a dangerous book, but the world is a dangerous place.  Knowing more serves to protect you.”  Do you think IT professionals will agree with you?

For the most part security professionals do.  I was expecting more controversy, but at RSA everyone was saying “Wow, it's about time we had a book like this.”  And no one said, “Ooh, way to dangerous.”  So I think almost every security professional will agree we have to get more serious about what we’re up against.  And the only way to know how to build software right is to know how your creation is going to be attacked.  That’s one part of the justification. The other part is, there aren’t any brand-new techniques in the book that are going to cause havoc.  The bad guys already know this stuff.  Some of the attacks we talk about are truly as old as the hills.  And if we begin to have a clearer, more scientifically grounded discourse about this stuff, maybe we’ll make some progress in this space. We surely need it.

In the book you say, “Software defects are the single most critical weakness in computer systems” and “Bad software is ubiquitous.”  Are all network defenses, then, merely chewing gum stuck in the cracks of a sinking ship?

The fact is network security mechanisms are necessary but not sufficient.  We keep trying to protect our broken stuff from exploit by building a perimeter defense around it.  The notion of defending the edges of a system is not bad, it just doesn't work all the time.  Especially when it comes to complex software that is Internet based, highly distributed, and designed to be extensible - meaning it is based on the Java Virtual Machine or the .Net Common Language Runtime. 

So we have our work cut out for us.  The issue is, as software gets more important and gets more complicated, the chances of us solving our problem with edge-level network mechanisms is zero. We have to do some other stuff. We have to make software more secure from the get-go.

One of the biggest problems in software security is, people will build the whole system and then say, now that it’s done let’s make it secure. So they try to sprinkle magic crypto fairy dust on it, or close off the ports so no one can get to it from outside the firewall. Those two approaches aren’t working. 

In Chapter 1 of your book you talk about software’s trinity of trouble - complexity, extensibility and connectivity - and point out that vulnerabilities are related to the number of lines of code. So if Linux has 55 million lines of code and XP has 40 million, is this to say there is no way to ensure the security of these and other large systems?

No. It's just that these systems are really big, and unfortunately when they were built no one was really thinking about security. So we have some work to do going back to fix these things up. The guys at Microsoft have spent a lot of effort trying to get a handle on the security problem, with some success.  They have a long way to go but it's not like they’ve been doing nothing over there. Unfortunately for them they remain the butt of all security jokes, but I guess they have a big target painted on their tummy.

In the book you carefully describe why it is easy to tear into anything and everything, leaving me with a feeling of despair. Is there hope?

The antidote was published in “Building Secure Software,” so now that you’re despairing you should go back and reread that. I think the good news is that, if you look at the evolution of the software security space, people understand the problem now and are beginning to work on it. We want to make sure they don’t just stick lipstick on the pig, but instead try to breed better pigs. We don’t have to give up hope and throw our hands up. Our hope is that some of the discussion in this book will relegate many of these problems to the dust bin of history. 

You have two pages of snippets from hackers about the general state of affairs, one of which reads: “Hardware attached to the Internet (with few expectations) can be remotely exploited right now - including 3Com switches, the Cisco router and its IOS software, the Check Point firewall and the F5 load balancer.” Are they true?

Nobody really knows. The claims made by hackers are certainly bellicose, at best. The issue to think about is, what if these things are true, or even partly true? If you look at myths and Internet rumor, occasionally there is a grain of truth underneath. For example, the notion that there is a Fortune 500 list showing how to get into various huge corporations. I know people that claim to have seen it. It's not surprising when you think about the fact that most of those corporations have tens of thousands of machines, maybe even hundreds of thousands, and they have to protect them all in order to avoid being compromised.

My co-author on this book, Greg Hoglund, dabbled on the other side. He doesn’t any more, but he brings a kind of hacker mentality to the book. So our book is kind of hackerdom meets science - I’m the science guy - and we’re just trying to understand this problem and jolt people into reality.

People are so excited about the attack of the day they forget to step back and talk about how these things unfold over time and how big the problem is and whether or not there is such a thing as attack patterns. And there are, as it turns out, but identifying them takes a lot of work. The thing is if you start talking about attack patterns instead of the problem of the day, you start building better solutions because you can build a solution for the pattern and not just for the particular bug. 

You talk a lot about attack patterns in Chapter 2. Is this aimed at people building software or users of software?

It is aimed at a lot of different audiences.  The primary audience is people that are building software, people that need to understand software security, and people that have to protect a network full of software. 

What do you make of the Microsoft’s behavior blocking approach to security that was discussed at the RSA show?  (A technique for protecting applications and operating systems from worms and other attacks by recognizing when systems aren’t acting like themselves.)

I think that’s not a bad thing to do. It is kind of a reactive approach, and there’s nothing wrong with it. But there is no alternative to actually building things that are not broken. Of course, everyone always talks about defense in-depth when it comes to security - you should try to build a perimeter around it, you should watch it behave, watch it get attacked and try to build it to defend itself. And all those things will help, but no one of those things will solve the problem. There is no silver bullet for software security.

It has been said that it would take too long and cost too much to build Windows and other large systems to be secure. How do you balance the economic trade-offs?

Whitepapers

• Gene Kim's Practical Steps to Mitigate Virtualization Security Risks
• Selecting Effective Virtual Directories
• A Modern Approach to On-Demand Email and Data Security
• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Compliance, Protection, Recovery: A Layered Approach to Laptop Security
• Endpoint Security: Data Protection for IT, Freedom for Laptop Users

View more SECURITY whitepapers

Webcasts

• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage
• Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management On-Demand

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• Learn how to Keep your Mobile Workforce Connected
• The self-managed network

View more SECURITY special reports