Saturday, March 12, 2022

Can Electronic Design Automation Be Used To Help Compile Secure Source Code???

 


It seems like recently, software development and the security issues that go along with this process have been in the news lately.  I am assuming that it is perhaps because of the heightened tensions on a global basis, and the much-increased threat of more Cyberattacks originating from Russia and other close by regions. 

But whatever it is, having secure source code in any type or kind of application that you write and compile these days must be as safe and secure as possible.

If not, there are many backdoors that can be left wide open which simply means easy penetration for the Cyberattacker.  Now, there probably will never be a thing as 100% secure code.  But the efforts must be undertaken now to try to make this goal a reality perhaps even.

I have written about this topic quite a bit before, and even other people have written about and published about this very topic offering their own suggestions.  Some of these have included using the code development check lists that are available from both the OWASP and NIST, and from, me I have recommended Pen Testing source code at a modular level.

Now, there might be a newer tool that could come out to help software developers.  It’s already in existence in other industries, but its application for Cybersecurity would be totally brand new.  This tool is called Electronic Design Automation, or “EDA” for short.

It is currently being used in the electronics industry to help develop new chips, semiconductors, etc.  But the key here is that it is used in real time, not after the fact.

So, the thinking here is could the EDA be used like a virtual assistant of sorts to help a software development team track down issues in their source code in real time as well, thus perhaps even saving more time?  In order for this to happen, there has to be some key issues that need to be considered first. They are as follows:

1)     Lots of data must be used:

The thinking here is that as the source code is being developed, the EDA can offer feedback on a real time basis as to the robustness of it.  But in order for this, it must first make use of either an AI or ML based system, and for that matter, it must be sophisticated.  Then, literally tons of data must be fed into first so that it can build profiles as to what a robust line of source code should look like.  From here, further data must be continually fed into it so that it can then provide some valuable recommendations to the development team.  In this regard, various sorts of metrics and reporting tools have to be created and deployed into the EDA system in order for this kind of feedback to actually happen.  Also, various dashboards will have to be created for quicker viewing.

2)     Understanding the context:

By this, I mean the EDA has to understand what the goals are of the Web app that is being developed.  For example, is it an online store?  Is it a knowledge repository?  Is it just a basic website?  Is it a place where a Web scanning tool will be hosted to scan for a client’s website for any weaknesses?  As you can tell, there are a ton of applications that the EDA system may have to learn before it can really provide any real feedback.  An idea here is to use the principles along the lines of Siri and Cortana. You can simply talk to them to tell them what you want done.  In this instance, you could potentially tell the EDA system in your own voice what the Web app is all about.  But again, this will take quite some to develop further.

3)     Understanding intent:

In this regard, the goal here is for the EDA system to understand why the software developer wrote a particular line of code the way he or she did, versus another, more standardized approach.  This can be classified as a behavioral mechanism, which even today AI and ML systems can only offer at best at a very simplistic level.  We don’t need the system to tell the software developer at each and every step what should be done better.  It should only be done when it is absolutely necessary.  But for something like this to happen, the EDA system is going to have think and react like another software developer, and this is still something far off into the future.

4)     Providing feedback:

It’s one thing for the EDA system to point out to a software developer where there is a security gap or where line of code could perhaps be made better.  Then it’s the other thing for it offer suggestions and recommendations as to how that line of code could be written in a much more robust fashion or how it could be made more secure.  This is again following the example of Siri or Cortana.  For example, if we are driving, and either one of them provide a recommendation for a restaurant, and we don’t like it, they will offer other alternatives.  The reason that it can do this is that over time, they have learned about you by building up a profile about you over a long period of time.  This is also the hope for any future EDA system.  In fact, there are even certain areas within Microsoft Azure that will even offer how to best remediate the possibilities of being attacked by a threat variant.

5)     It must keep learning:

Just as much as the Cyber Threat Landscape is evolving, so is the software development world.  Now I am by nowhere even remotely close to being one, I know from my conversations with others and even visiting the forums that there are new ideas and innovations that are always coming up.  Therefore, the EDA system has to keep up with all of this well, across all of the development languages, in order to provide the best recommendations possible, assuming that we are even close in theory to approaching that stage.  For example, it will have to learn all about the Python, PERL, PHP, etc.  which are most popular programming languages today.

My Thoughts On This:

Keep in mind that all I have written here is just in theory alone, but the way the world is going, it is quite possible that using an EDA system in this way could become a reality.  And if it does, it could be of great help, because all of this will be done on a real time basis.  In other words, there will be no need to take certain downtime to run a Pen Test on a source code module, etc. 

Perhaps the best way to get started first is with #1.  We must first attempt to get the EDA system to learn as much as it can first, and then start with providing very basic feedback at least on a ranking or some of other categorization scale (such as #1 being not secure at all to #10 being most secure as possible, etc.).

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...