The Seven Pernicious Kingdoms
So how do we collate knowledge about common security mistakes?
A brief history of software security analysis
From the early 70’s computer scientists have been finding that more than half of the security flaws are coming from the code itself 1:
the way it is written,
using obsolete functions,
bad programming constructs and so on.
The problem was there was no central well adopted database for these software programming flaws so that anyone (programmer or not) could read and know about them.
Common Vulnerabilities and Exposures (CVE).
Many attempts were made to categorise and enumerate vulnerabilities, but only one was widely adopted by industry: Common Vulnerabilities and Exposures (CVE). CVE is a database where anyone (a programmer, team, software or hardware vendor) has the ability to submit a vulnerability they have discovered in a product (software or hardware).
On submission the vulnerability gets a unique code and will be visible in the public database.
The Seven Pernicious Kingdoms
By definition, CVE is a dictionary of vulnerability identifiers, but it does not provide any categorisation or structure for the vulnerability.
This is what the Seven Pernicious Kingdoms taxonomy is for. It gives a structural way to classify vulnerabilities (phylum) into larger broader security flaws (kingdoms). This also helps with learning how to write better code, as it helps you remember the key things to look for.
The phylum is any particular coding error, for example, later this week we will look at SQL injection. This is where we query a database using user input without employing any safeguards. SQL injection is a phylum, and it is contained within the kingdom “Input Validation and Representation”, which includes SQL injection, along with buffer overflows, command injection and so on. The Seven Pernicious Kingdoms are:
Input Validation and Representation
Time and State
Notes for Nerds: why 7 (+1) kingdoms? This is based upon the work of George Miller 2 who identified that people are good at keeping track of seven, plus or minus two, things at a time.
Putting this to use…
So how do static analysis tools put this information to use?
Researchers take the knowledge from the publicly available dictionaries (like CVE), and other quantitative and qualitative research about software errors. From this they develop clever algorithms to scan code for vulnerabilities.
Then they use classification methods like the Seven Pernicious Kingdoms as a unified language for presenting the results of their analysis. And this is what makes Fortify Static Code Analyzer so powerful; it depends on years and years of research and accumulated knowledge to detect coding errors and vulnerabilities, and then from this, it generates an easy to read security auditing report about your code.
There is lots more to explore about the Seven Pernicious Kingdoms, related work, motivation, and industry adoption and more. To find out more, the following papers are available to download in PDF format from HPE Security’s website: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors and Evolution of a Taxonomy: Ten Years of Software Security. You will need to scroll down the web page to access the links to the papers.
© University of Southampton 2017