“90% of software security incidents are caused by attackers exploiting known software defect types.”

— CERT (Computer Emergency Readiness Team), Carnegie Mellon University

For software development organizations coding in C and C++, Reasoning helps eliminate critical security risks and provides enterprises with an effective weapon against unauthorized access and hacker attacks. Our application-level security vulnerability assessments find potential problems missed by existing developer solutions, such as application scanning and dynamic testing tools, which can only test for the expected behavior of hackers.

In addition, we provide the exact location and root cause of vulnerabilities, making it easy for developers to isolate and resolve issues quickly and effectively—before an application is put into production.

Reasoning produces security data reports that make identification, analysis, and repair easy to accomplish. The reports serve as detailed roadmaps that clearly list the class and location of vulnerabilities, along with a full description.

The Metrics Report is designed for the management team. Providing insight into problem areas within an application, including industry comparisons and ratings, it enables managers to better plan development efforts.

Vulnerabilities Found
The following is a list of the security vulnerabilities identified and isolated by Reasoning’s Security Inspection Service.

Buffer Overflows –– On the SANS/FBI Top 20 list of Internet security vulnerabilities, buffer overflows are the most common security flaw exploited by hackers. Buffer overflow attacks are aimed at applications that take data as an input and pass it to memory buffers for later use and manipulation. Failure to adequately check the size of data before passing it into too small a buffer is commonplace. Attackers may be able to include their own embedded code within the oversized data, thereby ensuring their commands replace existing application code and execute on the system.

Race Conditions –– This term describes time lapses between the verification by a software program that a planned operation (such as reading or writing a file) is safe, and the execution of the operation itself. In this time period, attackers may change the program's environment, such as the contents or access restrictions of the file, that make the execution of the operation unsafe.

Tainted Data –– Whenever a software program obtains data from the outside world, it needs to validate that the data is within the design specifications of the program. When data is not validated, it is called “tainted.” The use of tainted data may cause programs to perform operations that do not conform to their original design.

Risky Operations –– This class of vulnerabilities consists of several subclasses: loading external libraries, executing external programs, using poor temporary file names and using weak random number generation. Each of these operations give attackers a chance to gain control over the program's operation or obtain information that is supposed to be kept secret by the program.