344 Core Software Security
process is more about an attitude change, management acceptance, and
business/operational process changes than about blazing new trails in new
scientific or technical disciplines.
The price to fix vulnerabilities later in the cycle is very high. The level
of effort that is required to tune and maintain current product secu-
rity tools can be more expensive than buying the tool. Although much
of the burden of making this change is on the vendor, we have some
thoughts that may help change this paradigm. We propose a paradigm
shift away from vulnerabilities in software security. Not every vulner-
ability gets exploited, or is even exploitable. Often, mitigations that are
not obvious to vanilla vulnerability scanners make even garden-variety
vulnerabilities unattractive to attackers. We are not suggesting that we
stop fixing bugs in code. Quite the opposite, as should be clear from the
contents of this book. Still, delivering reports with thousands of vulner-
abilities have not made software secure. However, as a collective whole,
the security industry continues to focus on vulnerability: every new type
of attack, every new variation, and every conceivable attack methodol-
ogy. Instead, a focus on correct program behavior aligns well with how
developers approach designing and creating code. Correctness goes to the
heart of the software process. In our experience, developers are rewarded
for correctness. And it should be obvious that vulnerabilities are errors,
plain and simple. Focusing on correctness would, unfortunately, be a sea
change in software security. Tools today often don’t report the one, single
bug that will respond to multiple variations of a particular type of attack.
Instead, too often, tools report each variation as a “vulnerability” that
needs to be addressed by the developer. This is the way security people
think about the situation. It’s an attacker’s view: Which attack methods
will work on this particular system? That is the question that most vulner-
ability scanners address today (as of this writing). However, people who
write code simply want to know what the coding error is, where it is in
the code, and what is the correct behavior that must be programmed.
Often, if the tool contains any programming hints, these tend to be bur-
ied in the tool’s user interface. Instead, we propose that a tool should be
no more difficult to use than a compiler. The results could be a list of
code errors, coupled to line numbers in the code, with a code snippet
pointing out where the error lies. Of course, this is an oversimplifica-
tion. Some kinds of security vulnerabilities lie across code snippets, or
even across a whole system. Still, focus could be on what is the coding