Recently, a Google security researcher called out Symantec for some critical vulnerabilities found in their endpoint products that are supposed to protect businesses and end users. The technical details are shocking, and reminiscent of the issues with heap and stack overflows that were common more than 10 years ago.
We commend Google for their efforts and commitment to finding and fixing application vulnerabilities. The researcher correctly points out that these issues were preventable and recommends following secure software development practices.
“… it’s extremely challenging to make code like this safe. We recommend sandboxing and a Security Development Lifecycle, but vendors will often cut corners here.”
At Security Compass, we know how difficult it is for companies like Symantec to manage security in the software development lifecycle (SDLC), and to do it continuously and reliably. It is important for development teams to have the rigor and discipline to pay attention to security for each and every release, and not drop the ball even once. That’s why we built SD Elements. Our customers praise our solution for being able to automate security requirements throughout the entire SDLC, and scale across a large number of developers and applications. The new customization capabilities in SD Elements 4 make it even easier to fit into any development environment.
Within the expert application security database that is included with all three versions of SD Elements 4, we have content that covers problems with underflows, overflows, remote code execution, object serialization and using external libraries. For our own customers who are keeping score, here is a list of some of the Task and Problem IDs (among others) that are already applied (and have been for quite some time) to projects in SD Elements, and will help keep your own applications safe from the kind of vulnerabilities that were found in Symantec products:
- T72/P87 — Use safe arithmetic to avoid integer overflow
- T202/P21 — Prevent buffer overflow/underflow
- T217/P21 — Use compiler settings to mitigate buffer overflows
- T256/P21 — Test that compiler settings are set to mitigate buffer overflows
- T197/P384 — Sign the code and verify the origin and integrity of remote code with digital signatures
- T439/P384 — Verify that the origin and integrity of remote code and updates are checked
- T53/P325 — Virus scan all uploaded or transferred files using an inline virus scanner
- T54/P532 — Validate file contents
It should be noted that Symantec addressed the vulnerabilities by the time Google went public with the article, and issued patches to their customers. If you are a user of Symantec antivirus products, it is recommended that you apply the updates immediately.