Communications of the ACM
'clonewise' Security Service Helps Identify Vulnerable Code
Credit: Open Clip Art Library
Deakin University researchers have developed Clonewise, a service for finding common code in programs, which could help find vulnerable libraries built into larger bodies of code. The service focuses on finding patterns of source code in the Ubuntu Linux distribution. "Every time there is a vulnerability in [the graphics libraries] libpng or libtiff, we are looking at a lot of major programs that could potentially be vulnerable," says Deakin University's Silvio Cesare.
The researchers found a total of about 400 libraries or embedded packages that could be built into any of the more than 10,000 packages in a common Linux distribution. "Static libraries and other reusable code chunks should definitely be a concern for application developers but the risk is often ignored because until the last few years it was difficult to tackle the problem cost effectively," says Veracode's Chris Wysopal.
With homegrown applications built using enterprise languages such as Java and .NET, there is no standard way to monitor and maintain the third-party code that frequently finds its way into the programs, according to WhiteHat Security's Eric Sheridan. Cesare says software developers who use open source code in their projects need to establish a process to track and manage vulnerabilities in third-party components.
From Dark Reading
View Full Article
Abstracts Copyright © 2012 Information Inc., Bethesda, Maryland, USA
No entries found