Comments by: Jonathan Knudsen, Senior Security Strategist, at Synopsys Software Integrity Group
Recent zero-day vulnerabilities in Apple’s iOS are a stark reminder of the complexity of software security.
First, software is made of many smaller pieces, which are often open source components. In the case of iOS, the vulnerable component was WebKit. Most software products have hundreds, sometimes thousands, of open source components. The security of the whole product is only as good as the security of the components, so it is critically important to understand which components have been used and keep them up to date as vulnerabilities bubble to the surface.
Second, handling arbitrary input is always a challenge. While developer training and awareness can help, the very best defence against unexpected and badly formed input is fuzzing during product development. Fuzzing is an automated testing tool that delivers thousands or millions of test cases to a piece of software or a software components. When fuzzing causes a failure, the test case can be reproduced so that developers can fix the vulnerability. Incorporated as part of a secure development life cycle, fuzzing helps teams squash zero-day vulnerabilities before software is distributed to customers.