Translated by
2019/07/02 15:37:04

Daniil Chernov, Rostelecom-Solar: Our analyzer to security of software is interesting to foreign markets

Daniil Chernov, the head Solar appScreener of Rostelecom-Solar company, tells about why it is important to be able "well to find vulnerabilities" what technologies successfully cope with this task and as they were already estimated in foreign markets.

Daniil <br /> <b> Chernov </b> <div> In a niche of static analysis we promoted further the market: we analyze not only source codes, but also runtime programs </div>
Daniil
Chernov
In a niche of static analysis we promoted further the market: we analyze not only source codes, but also runtime programs

The analysis of the performed program code – not innovation. Once "white hackers" from a small caste "especially devoted" analyzed software using special programs disassemblers. Today tasks of such level are carried out by IT products which can be purchased easily in public market. Why it became possible?

Daniil Chernov: Yes, programs disassemblers exists for a long time, but the market discusses a few other category of IT products today – such which are able to do a reverse engineering of a program code. The difference is that in the first case of people receives for the subsequent analysis the code in the Assembler language which is very difficult for reading of such handymen next to nothing on all planet. And in the second case it is about recovery of the high-level code which is very close to that program which was written by the developer. The main task of such product - to detect vulnerabilities, "tabs" (undocumented opportunities, NDV) and to specify to the user the corresponding pieces of the recovered source code which contain these vulnerabilities and tabs.

But the analysis of vulnerabilities in the corporate software can be carried out also without recovery of the source code?

Daniil Chernov: It is possible. For a long time there are products which can take the executable file and after a number of manipulations with it to specify a certain list of vulnerabilities. In the cybersecurity industry it is called method of "a black box". Figuratively speaking you found a black box on the road and want to understand that at it inside. You popinat it, weighed in a hand, listened, knocked on it, etc., i.e. gave corrective action and look at reaction. Also, for example, with website software which works on the server: you send to it different requests, and on a response try to understand what its operating system, what there can be "holes" in software, etc.

And there is a method of "a white box" when we can look that in a box, and in detail to study everything, as under a microscope. Appropriate technologies belong to the class of static analysis of the code. Each of approaches has pluses and minuses.

The advantage of "a black box" is that for work with it, in fact, only the tool kit - "irritants" and understanding is necessary how to interpret reaction of a system. Minus is that a covering of vulnerabilities – limited, we in such a way will not detect many at all. For example, if in a management system for power plant the tab "on December 31, 2022 to switch off everything" is put, then not to find it method of a black box. In this case it is necessary to understand what actions are put in algorithms.

Or SQL-injection: its pieces are scattered in different places of the program. For their detection it is necessary to construct some model of that code which is analyzed. It includes the dataflow graph, the graph of control flows, the analysis how variables are used in a system, etc. The software model, but not the text of the program is actually analyzed. Technologies of "a white box" are engaged in it.

What your product Solar appScreener of color?

Daniil Chernov: Traditionally any software analyzer "plays" or in one area, or another. However, in marketing it is fashionable to express support of both methods now, but, in terms of workmanship, all the same each vendor is focused on something one. Our tool uses a method of "a white box". And plus to it due to unique technology of the binary analysis and automatic a reverse engineering we can, figuratively speaking translate the executable file from a "black" box in "white" for further check.

We called this analysis type binary because the analysis of executable files – actually zeroes and edinichek is made. I will explain on an example. Let you have a certain executable file, for example, mobile application for Android OS, but there is no source code. We shower the file in Solar appScreener, and it directly at the binary level scans it. And at this level understands where and what vulnerabilities are present. Then the reverse engineering joins to recover these zeroes and an edinichka of the executable file in the code read by the person. At the exit a system reports: there are found vulnerabilities, here so they look in language of the high level. I look and I understand: aha, here an unsafe reflection, and here in general the encryption key is set in the source code. In other words, in a niche of static analysis we promoted further the market: we analyze not only source codes, but also runtime programs.

Why such technology is necessary?

Daniil Chernov: Let's say in your company the department of development wrote next software, and the internal customer accepted it. Quite often happens so that your department the cybersecurity for some reason cannot get access to source codes. A striking example – mobile application development which, for example, banks quite often give to the outsourcing companies. Developers transfer in such situation to the customer source codes extremely reluctantly and if do it, then at the customer few real opportunities to check whether those it is source codes which go then to production, i.e. are loaded into App Store and Google Play.

There is a paradoxical situation: the bank ordered development, but it for it is a black box. Dynamic analysis in this case hardly qualitatively will help. And if you use the binary analysis of Solar appScreener, then receive a "white" picture which you study using static analysis. It turns out that the bank can independently take the ready code from App Store and Google Play, to load for the analysis, and at the same time "the black box" of the application turns into "white".

I can tell with confidence that, except us, nobody in the world could implement a full-fledged sheaf in a product yet: reveal the list of vulnerabilities, show their location in the program and accompany with the text of the recovered code.

Why then your product did not get to the corresponding "magic quadrant" of Gartner?

Daniil Chernov: We communicate with analysts of Gartner. In 2017 Solar got to Gartner Hype Cycle. Last year we were invited to tests, but we did not pass according to special requirements. The matter is that in addition to a technical part, Gartner has a number of business requirements to applicants for hit in a quadrant. In particular, there are requirements to distribution of global turnover of the company over the countries: sales in the USA, Europe, other regions are separately selected. Unfortunately, even in the presence of the confirmed references from the international customers by sales volume parameter in a number of regions we did not pass through the Gartner business filter yet. However it is only a matter of time. Now we very actively develop in international markets.

Today, it seems, the analysis of the code becomes an obligatory element of business processes of any company developing IT or using IT. Do you agree?

Daniil Chernov: If to look at evolution of technologies of information security in a historical retrospective: antiviruses, firewalls, intrusion detection systems at the network layer, DLP systems, - it is obvious that all of them passed a similar way: exotic - mature market - an element of basic hygiene, i.e. what shall be in any company. Code analysis systems promptly turn into an element of basic hygiene of corporate IT.

Permanent emergence of new software which or is written by internal developers or development is ordered the third-party company, is the phenomenon which it is possible to call Basic Element of business today. At the same time it is necessary to business that developed quickly. Because it is money: who the first entered the market with the new offer, that good fellow. As business puts IT very tough terms, a considerable part of the code developers try to find in finished form. By our experience, today 80-90% of the code developers take from libraries third-party a component, and write the rest. These third-party components are the main source of receipt in corporate information systems of vulnerabilities and "tabs" today.

Besides developers most often do not think in terms of information security, usually demand a product with a certain functionality from them, a user-friendly interface, lack of bugs and high reliability of work of software. According to official statistics authoritative in the field of IT of Ponemon Institute, in 2018 unsafe software became the reason of a compromise of data in 75% of the companies worldwide. And according to the U.S. Department of Homeland Security, more than 90% of successful cyber attacks are implemented using different gaps in applications. Yes, the companies of much reached regarding cybersecurity, but poorly protected there was the last boundary – the application software.

Software of open source which our developers like to use is a source of problems too? Who checks a huge number of the code which generates community?

Daniil Chernov: He is checked in general extremely seldom. And even if one person showed enthusiasm, found "hole" in software, published the message, and another eliminated this gap, not the fact that all third-party developers will take the version with the closed vulnerability. Unfortunately, very widespread scenario of actions: googled, took the first suitable library and inserted into software.

Of course, available to software – it is good, but it is not less important to realize that you bring in the information system and to check third-party software for vulnerabilities and "tabs". Software of open source, Android and IOS library, modules of Facebook (at us the companies like to work with social networks), - practically will always be in them what to carp to the analyzer of security of applications at.

It seems that "free cheese" it will be obligatory with holes?.

Daniil Chernov: Open source in this part - the unconditional champion. But, you know, not without flaws quite often there is also author's software. For example, there are some popular web platforms for creation of the websites which it makes literal sense to scan a code analyzer after acquisition. Otherwise there is a real chance together with the platform to purchase a set of vulnerabilities through which even the beginning hacker, so to speak, the pioneer of dark space can crack your website.

We have a cloud service of scanning of software – several hubs in different parts of the world where tens of scannings are daily performed. We collect statistics and we consider the average level of security. And so, for mobile applications the average level of security on a five-point system (the 5-maximum protection) is 2.0 - 2.3, i.e. on the two with plus … And if the application corresponds at least to this average level, it is already considered quite good result.

Returning to the open source software, I will separately note one scandalous vulnerability of mobile applications which together with open source makes the main contribution to their insecurity. Any application communicates with the server and should check the certificate of this server prior to informative communications. However opensorsny libraries which are responsible for this process very often are by default configured to perceive any server, i.e. to let all.

What is told by your statistics about deliberate and unintentional holes in security of software?

Daniil Chernov: Really, unintentional vulnerabilities (errors in construction of the code, a typo) and intentionally the created holes meet, (they are called tabs or not declared opportunities). But even the last are not always created with the purpose to do much harm. Frequent example from life: I write the code, let us assume, of the CRM system and I drive in "if I am Daniil Chernov, then to give me administrative access" that I could make everything that I want in a system. I can have a malicious intent, for example, I decided to steal data of clients. But more often it becomes to facilitate to itself life in the first months after delivery of a system to the customer. They are usually heavy, and to me it will be much simpler if I am able to log in circumvention of regulations into the system and to govern that is required, for the customer's benefit. Then I go to other company, and this gap remains. Also becomes "tab". Such "tabs" made for the best, but, so to say, "off the books", meet rather often.

The analysis of software is an area of responsibility only of Cybersecurity Department?

Daniil Chernov: As a rule, the driving force of check of security of applications usually are bezopasnik. However, if earlier they just accompanied development, observed, and from them nothing was required prior to the first incident, then now they should be integrated into process, to control that occurs. There is an interesting situation.

For developers additional control of the code on vulnerability - as the fifth wheel for the cart: not only that colleagues will dig in your software, it is necessary to eliminate still vulnerabilities if like those are. So, terms will depart, behind them – bonuses moreover business on the head will squeal. Because business wants that in three days clients saw a new system, and the cybersecurity indicates full of holes software.

In general, responsibility is distributed so: the problem of information security – to designate all risks for business, and the final solution remains for heads of business. Perhaps, for them crucially to start new service per day before the competitor even if with vulnerabilities. In an ideal picture of the world there has to be a sheaf: developers – security – business. Developers should check proactively themselves, then the bezopasnik will catch smaller amount of vulnerabilities. And business will be attracted only in a difficult situation when it is really necessary to make the decision, than to risk: term of the project or vulnerabilities in software.

It is exclusively organizational task, or IT can help?

Daniil Chernov: The tool of the analysis of the code should be convenient – i.e. automated and built in a development cycle. The developer wrote a piece of the code, clicked, and the code went to a repository. There it was independently identified by the scanner, sent to the analysis, and automatically sent results to all interested participants of development process.

For all this there is a special name - process of safe software development (Secure Software Development Lifecycle, SSDLC). It means that into traditional development process of software (Software Development Lifecycle, SDLC) seamlessly integrates check of software on security. It is similar to Business Process Management Suite: in the beginning we agree about regulations and parameters (how often that specifically in what order it is checked), then we customize management systems under these parameters. Then the company receives full-fledged supervisory center of security of software which includes both the tool of the analysis of software, and the corresponding business processes on the platform.

Whether there are a lot of companies which work in such style - with regulations and checks in the automatic mode?

Daniil Chernov: There is a lot of them. Also becomes more and more. Because, since a certain level, say, of 20 - 30 developers, without control automation by developments they cannot effectively perform the work any more. By the way, practice of safe development should be implemented gradually: for a start to take the most critical, in terms of business and security, the application. Let's tell if the company provides an online service, it is, at least, the website and mobile applications. And on them to begin to give a dry run process. Because if to scan at once all corporate software, hordes of vulnerabilities will be detected, and the head will go around. Further to add the following systems, perhaps, CRM or accounting, understanding that a red signal to the increased danger – at everything that has an exit in the outside world.

Analysis systems of software are a growing market?

Daniil Chernov: Analysts of Gartner estimated the volume of global market of Application Security (security of software) in 2018 at the level of 2.7 billion US dollars. There is an expert forecast according to which in 4-5 years this market will reach the volume of 10 billion dollars. According to us, it is very reserved assessment. Most likely, growth rates will be higher. If to take all stimulating factors into account, even the exponential growth of the market of analysis systems of security of software is possible.

In the hot market and the competition should be hotter. What measures the competing suppliers?

Daniil Chernov: Good question. Vulnerabilities are in open sources. Suppliers of analyzers are measured by search algorithms. A task of each vendor – to make so that gaps in software were detected quickly and in the conditions of limited resources which the client can select. The term "it is good to find vulnerabilities" means, in fact, two parameters. First, at least false operations on "vulnerability" which are absent actually. Secondly, at least admissions of vulnerabilities (when vulnerability is, but the product does not find it) is, perhaps, the most dangerous that can happen.

Fight of algorithms will be infinite?

Daniil Chernov: Of course. And it is an incentive for development of technologies of vendor. Take, for example, false operations. If to process them by a traditional method – "bluntly" a linear filter, it requires many resources. And we found other approach - it is result of our research activity - we use fuzzy logic engine, the module of a fuzzy logic which allows to filter false operations, without reducing percent of detection of vulnerabilities.

I will notice that the functionality of the fuzzy logic engine engine was put in Solar appScreener initially, but this module constantly develops: the rule base of search of vulnerabilities extends, rules are adjusted and adapt. For example, till last fall users had no possibility of direct use of this module, i.e. individual preference of filters of the engine. And now this functionality is available. By our estimates, for the last two - three years "quality" of operations, thanks to development of the module fuzzy logic engine, improved by 3 times.

By and large, for clients one barrier - the volume of a resource which the customer is ready to select for such system, for computer iron will be eternal. This dilemma will be, apparently, always: the algorithm is excellent, works quickly, but for it the rack with servers is necessary. There will always be a triangle: quality – speed – resources. These parameters vendors played, play and will play.

The cloud option of service of the analysis of software can change a situation?

Daniil Chernov: The cloud option of use of a product is, it is valid, convenient: the client needs only the browser in which he sees the interface of a product, and capacities - ours. I will notice that clouds are loved more by the western market: the client receives an account and works in a personal account - loads software, scans. And the Russian clients in the majority prefer that Solar appScreener was completely unrolled at them.

Difference in cost essential?

Daniil Chernov: Cost depends on use conditions. If it is necessary to check software several times a month, most likely, more profitable a cloud. If the thicket needs to check and a large number of software, then the local version is more profitable.

Vendors of software analyzers differ from each other in quantity of supported languages of programming?

Daniil Chernov: Yes, it is the important differentiating parameter. The wide list of programming languages is necessary to cover all needs of any client. Rostelecom-Solar today – the world leader in quantity of supported languages of programming. Now them at us 26, in July will be 29, in October – 31. We release the new version of a product including support of modern languages quarterly. The closest competitors have 25 languages now, but we differ on their set. For example, we have languages which yet at all competitors do not have: the same Solidity is language for the description of smart contracts in blockchain technology. Besides, in the different countries – different demand for support of programming languages. For example, in Russia in banking sector it is still rather often possible to meet the Delphi language which in the West is almost not used, it is considered strongly outdated. And here the applications written on popular abroad Groovy and Kotlin, on the contrary, meet at us quite seldom.

By the end of the year we will reach a status when we have all languages which competitors, and some more support others whom competitors do not have.

How to the potential client to compare different tools and to select the best?

Daniil Chernov: It is necessary to take a piece of the code about which it is known what vulnerabilities in it contain. It is desirable that there is a lot of them, and they were various. Such test to software it is available, it is well known to specialists, it is used, in particular, for a training of ethical hackers. If to ask us, we can recommend the specific opensorsny applications full of holes suitable for the analysis of software in certain programming languages.

Then we compare results, we watch what product coped with detection of vulnerabilities better. And still we look at parameters of the second level, for example, time for which the scanner solved a problem, convenience of reading the provided report, etc. Agree, matters whether we start the scanner in couple of clicks as Solar appScreener, or it is necessary to take ten steps moreover previously to study volume of documentation or to attend courses, otherwise you will not understand.

The software analyzer is an expensive product. Whether there is a sense to use free open source scanners?

Daniil Chernov: Why not? Happens that the company for some reason just is not able to afford a commercial product. Then it or does nothing for security of software, or uses an opensorsny free product. It, of course, weak, but nevertheless it is better, than nothing. At the same time, of course, you should not forget that open source software are supported by enthusiasts, and most often this support is given at insufficiently high level. Really, from where at them resources on serious R&D can undertake? On researches of algorithms? On support of base of vulnerabilities in a product?

Modern code analyzers "are how smart"?

Daniil Chernov: In terms of the user interface, products of the analysis of software become simpler: it is not necessary to be trained to start the analysis and to unload the report. And "under a cowl" the analyzer of software has a lot of "intelligence". For example, the cybersecurity specialist who does not have experience of development of software products at all can successfully work with our analyzer. To it the file, and a system is enough to load itself will understand what programming languages are used, and will issue the report in language clear to it with the recommendations of further actions.

In other words, the analyzer of software not only will show what vulnerabilities are detected in software, but also will explain why it is bad, and, in certain cases will describe the scenario of the possible attack. For example, if vulnerability about which we spoke earlier is found, – mobile application does not check the certificate of the server – a system gives references to sources where it is possible to read materials on this subject and also will submit to the user the probable scenario of the attack which will look as follows:

  1. the Malefactor gets into a local network of the user and redirects his traffic via the server (for example, using the attack like "poisoning of a cache of DNS").
  2. the User initiates connection with safeserver.example.com under the protocol SSL/TLS.
  3. Instead of public key of safeserver.example.com the malefactor transfers to the application own public key and the valid certificate issued to it by certificate authority for the domain hackedserver.example.com.
  4. the Application is convinced that the received certificate is valid (for hackedserver.example.com), ignoring the fact that the received certificate is issued not for that domain, connection with which was requested initially.


I will add still that to me as to the user it is important that I could configure reports easily. Let's tell, I have not enough time, and I want to see 15% of the most important analysis results. And still I want to eliminate standard libraries at once in those results which were received by the scanner. It is possible to preestablish such settings which will organize for me the most convenient and informative display of results.

The feature of the IT system can be registered in advance, it is known that the rules describing vulnerabilities can have a different appearance, depending on a specific configuration of equipment rooms and software tools?

Daniil Chernov: Yes, vulnerabilities can be lost differently, depending on features of the hardware-software environment in which software is performed. Let's follow a simple example: the website and the known vulnerability of SQL-injection the Analyzer made out vulnerability, displayed in the report, but we know that in a system environment Web Application Firewall which does not allow to operate this vulnerability works for us. Then the cybersecurity specialist can ask a system not to pay attention to this situation or to lower the sensitivity level.

By the way, in the report of Solar appScreener similar recommendations are made: how to close vulnerability operation by the Web Application Firewall setup to take the most operational measures of protection. The list of the most popular models, fayeyrvol is maintained, for everyone the list of settings and recommendations about use of security policies is provided.

The Rostelecom-Solar company works at foreign markets. As far as it is difficult in a present geopolitical situation?

Daniil Chernov: Our product – bilingual, and we actively expand our presence in foreign markets. We have customers in Malaysia, Singapore, South Korea, Australia, Latin America, etc. Recently we completed the project on implementation of the analyzer of security of the Solar appScreener applications in GNP Seguros, one of the largest insurance companies of Mexico.

In this country the problem of information security support of the local companies is particularly acute very much. According to the report of Europol's European Cybercrime Center IOCTA 2018, Mexico is the second country of Latin America after Brazil by the number of the cyber attacks which took place in 2018. Using technologies of the analysis of security of applications Rostelecom-Solar the customer could build the automated process of safe software development. In particular, integration of the analyzer into trackers of tasks and a management system for code repositories and also the API set for integration with management systems for vulnerabilities is implemented.

The important event is connected with South Korea. The cybersecurity regulator of this country Korean Internet&Security Agency (KISA) selected Solar appScreener for increase in security of the developments and services. In the course of competitive selection of KISA studied a number of the most advanced solutions implementing technologies of the analysis of security of applications, both local, and international developers. It is known that in South Korea very strict requirements in the field of certification and licensing of solutions in information security field work. In these conditions the solution Solar appScreener was recognized the strongest, both in terms of functionality, and in respect of convenience and ease of use.

As a part of Rostelecom, we plan active work in the market of Vietnam. In May the intergovernmental memorandum of understanding aimed at the development of cooperation in infocommunication technologies was signed. It was signed by heads of Rostelecom and VNPT conducting the supplier of telecommunication services of Vietnam in the presence of the Russian Prime Minister and the prime minister of Vietnam.

If to put geopolitical prejudices outside brackets, our product of the analysis of software is very interesting to foreign markets: convenience, simplicity, large number of languages, binary analysis. Now we are engaged in business development in foreign markets: we gather experience of local projects, we develop a global partner network, for example, regarding transformation of classical resellers in the VAR partner capable to execute large integration projects. We have in this sense big plans, the world market is huge and opens great opportunities for business growth, without looking on any political collisions.