What is Software Security?
“Reliable software does what it is supposed to do. Secure software does that and nothing else” (Ivan Arce)
You may have heard the terms application security and software security. These two terms are closely related, yet distinct. Software security means the approach of protecting software by developing the software to be secure. It is a long-term process spread throughout the SDLC (Software Development Life Cycle). It usually involves root cause analysis and organizational changes. Application security comes after the software is deployed. Here solutions are provided to identified issues. It is a short-term process that involves security patches, penetrate testing, threat modeling, and code reviews.
Penetration tests and vulnerability assessments are conducted yearly to make sure the system complies with standards.
- Vulnerability assessment: Identifying and documenting the vulnerabilities identified in a system
- Penetration test: Simulation of attack to break the security barriers of the system
There are different types of attacks. Here we are going to focus on five of them.
- Leakage:- Leaking system information to unauthorized parties. Example: A student logging into the LMS(Learning Management System) as a lecturer and leak questions in an exam paper.
- Tampering:- Unauthorized modification of data. Example: Student accessing the online quiz beforehand and changing the questions
- Resource stealing:- Illegal use of resources. Example: Hackers steal and use the university email address to get a student discount on a product
- Vandalism:- Prevent a system from functioning correctly. Example: Student gets access rights of a super admin in the LMS and formatting the marks database.
- Denial of service:- Prevent the user from legitimate system use. Example: When the student marks are released hackers send requests as students to prevent real students from viewing their grades
These attacks can negatively affect companies’ brand, lead to financial loss and even lawsuits. Next, let’s see the methods of attacks. These attacks are launched through the loopholes in the transport layer or network layer.
- Eavesdropping :- Obtaining copies of messages without the approval of the authority
- Masquerading (Spoofing):- Use of identity of another party without approval
- Message tampering:- Alteration of messages
- Replaying:- Storing the messages and sending them later
- Flooding:- Sending loads of messages
Application security is not sufficient, and it is always recommended to built security into the software. Fixing vulnerabilities after deployment is more costly security patches may not fix the root cause. Security should be considered as a mandatory part at each stage of SDLC; Secure Software Development Lifecycle (S-SDLC). Security policies and standards should be set. It is important to get the involvement and give sufficient training to all the stakeholders involved in the development of the project.
Aspects of software security are diverse; code level security, user input validation, cryptography, access control mechanisms, security on data at rest, security on data transport (SSL/TLS), etc. It is important to focus on the architecture as much as on bugs. The involvement of senior executives, managers, and the client are important. Security training for the people who are directly involving the production of the software is the key to a successful S-SDLC implementation. These people may include requirement engineers, designers, architects, developers, quality managers, testers, and project managers.
References
• https://www.owasp.org/images/b/bd/Bsimm09.pdf
• https://www.blackhat.com/presentations/bh-usa-06/bh-us-06-Morana-R3.0.pdf
