@ISACA Volume 16  9 August 2017

Cruft—It Is Tough


Bruce R. WilkinsIn the past, I have written about the backwaters of IT. Obsolete or specialized processors sit on the edge of your state-of-the-art IT architecture and create an area ripe for hacking. Often, these processors are also a blind spot for intrusion detection. This article takes a journey into something called “cruft,” the backwater of your software application.

What is cruft? Cruft is defined as software source code that is no longer needed in the application to perform the specific function of that application. The 2 major types of cruft are unreachable code and dead code. Unreachable code is code that is present in a program at runtime, but there is no logical path to exercise the logic. There is good news about unreachable code. Today, most modern debug tools and code checkers will notify you of unreachable code. Dead code is source code that is present in the program and is no longer needed or was never needed. This code is executed and the logic is executed during runtime. Dead code is hard to detect. It is like a tick. You must search your whole source code library to ensure you do not have a stray parasite.

Where does cruft come from? Cruft is mostly found in programs that were modified over a long period of time. A common example is modeling software. Professors and other experts who develop modeling software tend to focus on the subject matter but not the software architecture. As a result, over time, extraneous software is left in the program. Cruft also appears when assembling libraries from various sources and combining them to create a Frankenstein program. I call it a Frankenstein program because the pedigree of the software is often undefined and the amount of code that is cruft can be significant. This is often an issue in open source code libraries and products. I have seen software libraries that are built into an application that are 750,000 lines of source code and fewer than 15,000 lines of those libraries are needed. However, no one had the expertise to remove the cruft, and there is not enough time to develop the functionality represented in the 15,000 lines of code. Some cruft is intentional by the product manufacturers and unknown to typical software developers. Source code that is interpreted at runtime tends to be slow. However, in some cases manufacturers provide the ability to pre-interpret source code, also called pre-stored procedures. These half-interpreted procedures (also inaccurately called pre-compiled procedures) have parts of the interpreter in them to interpret during runtime.

What do you do to minimize cruft? Sitting in configuration management activities can be boring, especially if you are not a software developer. However, it is in these activities that one identifies the potential for cruft and remedies for removing it. Some steps to minimize cruft include:

  • Preliminary and critical design reviews—I know these activities are characteristic of the waterfall system development life cycle (SDLC). That being said, one must adapt the best of breed to whatever SDLC you are using. Approaches such as design reviews are beneficial in SDLCs such as Agile or V Model development. This gives a person insight into the approach the developer plans to execute at the software source code level.
  • Code checkers—This is the best way to find cruft that is unreachable. If it gets past the software debuggers, this is a sure way of finding the problem.
  • Understand the difference between developed code, open source libraries, open source products and commercial products—Each class of source code represented in these categories have cruft. Some you can remove; others you have to accept.
  • Understand the software architecture—Monitor where change is happening and where change is not happening. Both areas have the potential of hiding cruft.

The existence of cruft affects the size of the executable program, its performance and its security posture. It is critical to understand the software architecture for a given architecture. Cruft is but one fraction of application development security; however, it is one of the easiest to remove and protect against.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins has the opportunity to provide his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing sec.


Understanding Vulnerabilities Webinar

Understanding Vulnerabilities Webinar
Source: Magnus
Getty Images

Every day, security teams are overwhelmed with the growing number of vulnerabilities in their environments. What should be prioritized if there are 10,000 critical vulnerabilities present at once, and how do you quickly gain insight into their impact as each of these vulnerabilities arise? Understanding which vulnerabilities are most likely to be exploited by an attacker is critical for effective prioritization. ISACA and Rapid 7 have partnered to present the “Threat-Driven Vulnerability Prioritization” webinar to highlight the need for vulnerability-based threat intelligence and to demonstrate the value of incorporating it into your security program. This webinar takes place on 10 August at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Jane Man, senior product manager at Rapid 7, and Tom Sellers, security researcher at Rapid 7, will lead the webinar. They will use their combined experience of setting up and implementing innovative security solutions to provide insight into defending your organization from vulnerabilities.

To learn more about this webinar or to register for it, visit the Threat-Driven Vulnerability Prioritization page of the ISACA website.


Containerization: Scalable, Efficient, Productive

Containerization:  Scalable, Efficient, Productive
Source: flytosky
11/Getty Images

Hosting service applications on containers makes aligning security and compliance policies more manageable. Automation allows for standardization of security controls. The emergence of containers has enabled companies to grow, scale up, and become more productive and efficient. ISACA and Adobe have partnered to present the “Leveraging Container Technology to Better Achieve Compliance” webinar to discuss key issues that application containers may help solve. This webinar takes place on 15 August at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Prasant Vadlamudi, senior manager for risk and advisory at Adobe, will lead the webinar. In it, Vadlamudi will share his experience using application containers at Adobe to provide insight into using this technology to set up new and existing services in a secure and compliant way for your enterprise.

To learn more about this webinar or to register for it, visit the Leveraging Container Technology to Better Achieve Compliance page of the ISACA website.


Develop an Effective Internal Control Environment


Internal control is a systematic means of providing assurance that enterprise operations provide sufficient protection from internal and external threats. These threats can be malicious or driven by lack of adequate process control. Internal control sets up the necessary structure to prevent or detect issues that arise so they can be mitigated or corrected in a timely manner. ISACA’s recently released internal controls video presents a series of concepts around internal control, control activities, and how they are implemented and managed within an enterprise.

In this video, you will learn the specific issues that affect the establishment of an effective internal control environment and how the controls relate back to the governance structure (i.e., COBIT 5). To learn more about implementing proper internal control for your enterprise, visit the Internal Controls Video page of the ISACA website.


Implementing a Privacy Protection Program: Using COBIT 5 Enablers


Between recently well-publicized breaches and noteworthy regulatory issues such as the General Data Protection Regulation (GDPR), the privacy of user information and personal data is becoming an increasingly important topic. There is no shortage of advice about privacy for the audit, security, risk or governance practitioner, but it can be hard to know where to start. How can privacy be approached holistically in an organization? How is privacy integrated into broader governance efforts? What are the practical and crucial considerations to account for as the privacy program is planned?

ISACA’s Implementing a Privacy Protection Program: Using COBIT 5 Enablers, a follow-up piece to ISACA’s Privacy Principles and Program Management Guide, helps address these and other questions. This publication provides a governance-focused approach to privacy that focuses on integration of privacy efforts within a broader framework. Specifically, the publication synergizes the ISACA Privacy Principles (outlined and described in the first volume) to integrate those principles synergistically into the broader COBIT business framework. By contextualizing privacy into an organization’s broader governance efforts, an organization can ensure that privacy needs are met and, in so doing, help address regulatory considerations such as the GDPR.

To download this program, visit the ISACA Implementing a Privacy Protection Program: Using COBIT 5 Enablers page of the ISACA website.


Women in Technology: Mentors and the Next Generation of Cyber


Strong women cyber security leaders and executives are in short supply. Why is it that many women enter technical fields and cyber, but leave before reaching executive levels? What can be done to support the growth of women in cyber?

ISACA presents the “Mentorship Matters: Cultivating the Next Generation of Cyber” webinar. In it, panelists Amy Brachio, CPA, partner and global and Americas advisory risk leader at Ernst and Young LLP., Edna Conway, chief security officer of global value chain at Cisco, Lisa Lee, CISA, CRISC, senior technology examiner at the Office of the Comptroller of the Currency, Chenxi Wang, founder at the Jane Bond Project, and Shelley Westman, senior vice president of alliances and services at Protegrity, will provide recommendations on what the industry can do to ensure it supports and retains talented cyber security professionals and helps them grow into leaders through the entire career life cycle. The panel discussion will be moderated by Diana Kelley, global executive and security advisor at IBM. This webinar takes place on 17 August at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

To learn more about this webinar or to register for it, visit the Mentorship Matters: Cultivating the Next Generation of Cyber page of the ISACA website.