Setting Industry Standards for Good and Bad Coding Practices

Paul Ducklin, Sophos Pty Ltd, Australia

In the 1990s, malware writers tried to persuade legitimate software publishers to make use of the polymorphic virus engines of the day. They talked up "benefits" such as the shrouding of intellectual property, anti-piracy, tamper-protection, and more. For the most part, the Bad Guys failed. The software industry did not warm to the idea of wrapping good code in bad packaging, and so the presence of a polymorphic packager alone could be used to condemn programs as malicious.

How things have changed in ten years!

These days, packing and obfuscation tools, even those commonly and unashamedly associated with malware, are frequently used by apparently-legitimate software vendors. Programming techniques which greatly benefit (or are vital to) malicious code are thoughtlessly copied by legitimate users, even though any number of alternatives (ones which would not be useful to the Bad Guys) might be available.

Security professionals alone cannot fix this. The industry as a whole needs to go through a continuous, iterative process of identifying programming practices which can be considered lost to cybercrime; describing safer replacement techniques; and vigorously insisting that coders, vendors, suppliers, ISPs and the like make the switch from bad to good.

And pigs might fly.

Nevertheless, this paper, using numerous current examples of bad practices commonly used for good, and how they can be replaced, aims to provide some "cage rattling" material with which the pigs can at least be herded in the direction of the runway.

Think of it as a piece of very modest (but nevertheless probably quite unpopular) activism.