Black Hat: Think like an attacker

The best defence is a good attack strategy, security consultant says

The best way to develop software applications that can defend themselves against malicious attacks is to think like an attacker.

More than just being aware of vulnerabilities in software that attackers often exploit, security analysts should strive to understand the actual attacks -- the motive, method, tools used, desired result -- and feed that information to software developers so defences can be built into an application during the design phase, says Sean Barnum, managing consultant with Cigital, a software security consulting firm. Barnum spoke at the Black Hat DC 2007 conference held here on Thursday during a presentation about attack patterns, which are detailed descriptions of specific attacks.

"Attack patterns are great guides for implementing secure code and validating" the security of the code, said Barnum. "You need a good view of the attacker's perspective and use it to build better defences."

Much like design patterns -- tools used by developers to help them solve recurring problems when writing software -- attack patterns serve to aid developers in building code that is secure, Barnum said. These tools, a combination of diagrams, code excerpts, and written descriptions, describe the techniques attackers may use to break software, he said.

While the information gathered in an attack pattern is most useful for software developers, security analysts and other security professionals are best equipped to create the pattern, said Barnum. Gathering information about attackers involves exploring some "shady places" that only professionals well versed in security should attempt, he warned.

Currently the U.S. Department of Homeland Security (DHS) is funding a project called Common Attack Pattern Enumeration and Classification (CAPEC) to collect and classify attack patterns and make them widely available to the software-development community. Barnum, who is working with DHS on the project, said a Web site with more information about CAPEC will go live as soon as next week.