PRETEND MORE UPGRADE YOUR SOFTWARE QUALITY
Software security is nowadays one of the main concerns in Information Technology. The “2015 Cost of Cyber Crime Study” report by Ponemon Institute revealed that cyber crime costs are augmenting year by year (+1.9% from 2014 to 2015) uniformally in all countries, and in absolute terms these costs achieved several millions of dollars per year (15M$ in USA, 7.5M$ in Germany, 6.8M$ in Japan). The industry sector that was most affected by cyber crime costs was financial services, with more than 13M$ spent in one year. Given these numbers, various organizations are trying to enforce security standards. For instance, last year the European Central Bank imposed the use of automated static analysis for software quality inspections.
In addition, various independent organizations, like OWASP (whose mission is to “make software security visible, so that individuals and organizations are able to make informed decisions”), are pushing towards making software companies and users more aware of the risks of security breaches in software. In particular, the OWASP Top Ten 2013 identified some of the most critical risks due to security attacks to software.
The topmost is injection:
Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws.
While the third one is cross-site scripting (XSS):
XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. There are two different types of XSS flaws: 1) Stored and 2) Reflected, and each of these can occur on the a) Server or b) on the Client. Detection of most Server XSS flaws is fairly easy via testing or code analysis. Client XSS is very difficult to identify.
Julia statically and automatically detects both these issues. Thanks to its sound analysis, Julia can prove that a program cannot be affected by injection and cross-site scripting. You can find more details in the Checkers section, under Injection.
Traditionally the concept of Information Systems Security has mostly been seen as perimeter defence (firewalls, network security, access control…).
However, perimeter defense is only a part of the solution: to guarantee the inattackability of information systems, security must be a multi-layer effort.
Application security is at the heart of the problem: it comes into play when an attack manages to penetrate the physical and digital outer defense mechanisms. If the application itself contains “holes” the attacker will take advantage of them and reach the sensitive information. A classic example are Injections.
Countermeasures can mitigate the effect of an attack, but often the damage is already done in terms of: