In the previous years,we have seen a continuous growing of cyber breaches and attack.Most of them arose due to some coding mistake,either from the developers team not knowing that their code is vulnerable or from a human mistake due to the fact that coders maybe have been tired or not paying attention while coding.
In order to prevent this from happening and facilitate data breaches or ransomware attacks,I think developers should start to have some contact with the hacking culture and secure coding.
One first step which i think is necessary before the developers take contact with hacking is secure coding. But what is secure coding?
Secure coding in my opinion is an art,a way of living,but wikipedia defines it as: "Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Detects, bugs and logic flaws that are considerently the primary cause of commonly exploited software vulnerabilities."(Wikipedia,https://en.wikipedia.org/wiki/Secure_coding).
In my opinion and not only mine,as it has been proven many times, is the core of hacking.Every hacker needs to know it in order to find different vulnerabilities.Why a developer wouldn't know how to use such a useful tool in order to find bugs such as Use-after-free,the notorious buffer overflow or oob(out-of-bounds)as is it know in the industry , integer overflow/underflow,double frees and so on.Now the process by which a developers makes first stepts into secure coding is by using a procedure knows as static code analysis.The procedure is very simple,the developer uses some tools,such as clang address-sanitizer,underfined sanitezer and so on in order to find wrong pieces of code which are left vulnerable.Of course,the developer could also try to do this process manually in terms of he could go and read and try to find it by himself,which is more effective cause a lot of times the sanitizers could show false positives.
After a developer has mastered this tool,it's time for him to make contact to hacking.Hacking is the art of making a machine to do what you want to do.But wikipedia defines it as:
"An exploit (from the English verb to exploit, meaning "to use something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized)".
What hacking actually is, bares the name of binary exploitation.A subset of hacking culture which aim's to find vulnerable snippets of C code,take advantage of the vulnerability and modify the memory control flow to do what the exploiter wants,which could be have a remote connection,print something on victim's screen or steal it's credit card.
I have mentioned the term binary exploitaion earlier,and I define it better.Binary exploitation is the next logic step after learning static code analysis.It's the final stage where one shows his skills of understanding computer architecture,software architecture and ingeniousity in proving that the vulnerable piece of code is actually vulnerable and not just a false positive.
With the presented facts above, I hope I have justified why a developer would improve more if he makes contact with hacking culture.
No comments:
Post a Comment