Software Vulnerability Fundamentals
- Vulnerabilities
- Refers to weaknesses that exist in software and which attackers exploit to their advantage (Dowd, McDonald, and Schuh, 2007). Vulnerabilities can result from implementation, configuration, or design.
- Implementation: Vulnerabilities will result because of protocol flaws, fault software design or incomplete testing (Arregoces and Portolani, 2003).
- Configuration: According to Arregoces and Portolani (2003) use of default, settings increase the occurrence of vulnerabilities in the software.
- Design: Poor security designs in software or inappropriate implementation of redundancy mechanisms promote vulnerability (Arregoces and Portolani, 2003).
- Necessity of Auditing
Auditing is aimed at analyzing software or an application code to establish the vulnerabilities that attackers may exploit (Dowd, McDonald, and Schuh, 2007).
- Auditing Scenarios
- In-house software audit (Prerelease): used to establish the design and implementation flaws prior to releasing the product to the market (Dowd, McDonald and Schuh, 2007).
- In-house software audit (Post release): done after the product has been released to the market to ensure flaws are discovered and corrected before attackers find them (Dowd, McDonald and Schuh, 2007).
- Third-party product range comparison: According to Dowd, McDonald and Schuh (2007), this audit is performed by a third party, which in most cases helps the consumer in deciding whether or not to but a certain software.
- Independent Research: This audit involves security firms, which conduct independent audits to provide information and establish new ways of addressing vulnerabilities (Dowd, McDonald, and Schuh, 2007).
- Classifying Vulnerabilities
Vulnerabilities are classified as design vulnerabilities, implementation vulnerabilities and operational vulnerabilities (Dowd, McDonald, and Schuh, 2007).
- Design Vulnerabilities: These include persistent and non-persistent vulnerabilities, SQL injection vulnerabilities, cross-site scripting, and cross-zone scripting vulnerabilities (Kale, Mehrotra, and Manza, 2008).
- Implementation Vulnerabilities: The problem in this case is how an operation is carried out or executed (Dowd, McDonald, and Schuh, 2007). According to Kale, Mehrotra and Manza (2008), examples of implementation vulnerabilities include SQL injection vulnerabilities and HTTP Header Injection Vulnerabilities.
- Operational Vulnerabilities: This results during the operation of the software in a specific environment (Dowd, McDonald, and Schuh, 2007). The vulnerabilities are attributed to how the software interacts with its environment and are not rooted in the source code.
- Common Threads
- Input and data flow: Attackers will input malicious data to begin the exploitation process of software. Different sources and different interfaces may be utilized to input malicious data into software. This makes it necessary to monitor how the data flows in a system as the software is being operated or implemented. The more complex a system is the more difficult it becomes to trace the data flow from the source and also in the system (Dowd, McDonald, and Schuh, 2007).
- Trust Relationships: flow of data in a software system depends on the level of trust between the different components in the system. Components designed to trust one another ensure that malicious data does not interfere with the normal data flow. This is made possible using peer-to-peer software components (Dowd, McDonald, and Schuh, 2007).
- Assumptions and Misplaced Trust; This deals with assumptions that the designers believe to be true yet issues such as how the attackers or how users utilize the software are ignored (Dowd, McDonald and Schuh, 2007).
Design Review
- Software Design Fundamentals
- Algorithms:
- Problem Domain Logic: this gives the rules that a program is required to use as it processes data (Dowd, McDonald, and Schuh, 2007).
- Key algorithms: continuous and focused attacks on key algorithms may lead to server disruption (Dowd, McDonald, and Schuh, 2007).
- Abstraction and Decomposition
- Abstraction relates to reducing the complexity of a system to make it more manageable (Dowd, McDonald, and Schuh, 2007).
- Decomposition involves the definitions of generalizations and classifications of the abstraction process (Dowd, McDonald, and Schuh, 2007).
- Core Principles of Software Design
- Accuracy: design abstractions are supposed to be designed to meet the stipulated in the requirements. Any form of discrepancy introduces weaknesses in the design abstraction and this increase the vulnerabilities (Dowd, McDonald, and Schuh, 2007).
- Clarity: Poorly illustrated or complex designs introduce vulnerabilities that are attributed to inaccurate design (Dowd, McDonald, and Schuh, 2007).
- Loose Coupling: modules that are loosely coupled have well defined public interfaces and this makes it easier to maintain designs (Dowd, McDonald, and Schuh, 2007).
- Strong Cohesion: strong cohesion makes sure that modules only handle closely related activities (Dowd, McDonald, and Schuh, 2007).
- Enforcing Security Policy
- Authentication: process where the program determines the validity of the user.
- Authorization: process where the system establishes whether the use has permission to execute certain operations (Dowd, McDonald, and Schuh, 2007).
- Accountability: relates to how a system will categorize and record activities that users perform on the system.
- Confidentiality: ensuring that only authorized personnel access data.
- Integrity implies that only authorized personnel can modify data in the system
- Availability: resources are accessible when required.
- Threat Modeling: threat modeling consist of
- Information collection
- Application architecture modeling: different types of modeling can be used such as UML
- Threat Identification
- Documentation of findings
- Prioritizing the implementation review
References
Arregoces, M., & Portolani, M. (2003).Data center fundamentals. Indianapolis, Ind.: Cisco.
Dowd, M., McDonald, J., & Schuh, J. (2007). The art of software security assessment:
Identifying and preventing software vulnerabilities. Indianapolis, Ind.: Addison-Wesley.
Kale, K. V., Mehrotra, S. C., & Manza, R. R. (2008). Advances in computer vision and
Information technology. New Delhi: I.K. International Pub. House.
