Introduction to Software Security

Software Security is an idea implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks. This is a very big topic and you will be easily get lost in it. We can easily say, “protect our system someone who logs in to our system with fake identity.” this sentence has the most common meaning for the Software Security and also we can say “protect our system from DOS attacks” means what is Software Security means. Introduction to Software Security.

Software Security vs Application Security | Introduction to Software Security

Application SecuritySoftware Security
–A way to defend against software exploit after the development is complete–A way to defend against software exploit by building software to be secure
–Issue-based short term approach–Holistic long term approach
–Penetrate and Patch–Root Cause Analysis
–Threat Modeling–Organizational change
–Code Review

Current practices in Application Security | Introduction to Software Security

  • Do a Security in Application once development is finished
  • Yealy Penetration tests and Vulnerability. It means mainly just to comply with standards.
  • Vulnerability Assessment – The process of identifying and quantifying vulnerabilities in an environment.
  • Penetration Test – Simulates the actions of an external and internal attacker that aims to breach the security of the organization.

Why Application Security is not good enough?

  • Applying and managing security patches may be costly
  • 0-day vulnerabilities
  • Patches may not fix the cause
  • Firewalls and IDSs may not be sufficient
  • Build Security

Issues with Security Breaches

  • Immediate financial loss
  • Reputation
  • Lawsuits

Software Security Terminology

  • Threat – An event if happens, will lead to a security incident that we discussed earlier. Ex- SQL injection.
  • Attack – An actual execution of threat by an attacker(s). e.g execution of SQL Injection, DDOS attack.
  • Vulnerability – A problem in the system that can be used by attacker to execute an attack and make the system compromised.
  • Authentication – Establishing the identity of a user. Determining who you are whether a human or a machine but need to establish the identity before accessing the system.
  • Authorization – Establishing what a given user is allowed to do in the system.

Types of attacks

Categorization of attacks that may be made on system. There are five main areas.

  • Leakage – This is known as information leaving system
  • Tampering – This is known as unauthorized information altering
  • Resource stealing – illegal use of resources
  • Vandalism – disturbing correct system operation
  • Denial of service – This is known as disrupting legitimate system use

This goals of attacks used to specify what the system is secure against.

Methods of Attacks

  • Eavesdropping – Obtaining message copies without authority
  • Masquerading – Using identity of another principle without authority.
  • Message tampering – Intercepting and altering messages
  • Replaying – Storing messages and sending them later.
  • Flooding – sending to many messages.

Secure Software Development Lifecycle – SDLC

  • Requirement Gathering

In here, talk about the security requirements that need to setting up phrase gates and this is a risk assessment. A Software Requirement Specification or SRS is a document which records expected behavior of the system or software which needs to be developed.

  • Design

Identity design requirements from security perspective. Architecture and design reviews and this is use for threat modeling. Software design is the blueprint of the system, which once completed can be provided to developers for code development. Based on the components in design, they are translated into software modules/functions/libraries like wise.

  • Coding

Identify the coding best practices and perform static analysis which means a code review. During this phase, the blueprint of the software is turned to reality by developing the source code of the entire application.

  • Testing

This is known as vulnerability assessment. Once the application development is completed, it is tested for various issues like functionality, performance, and so on. This is to ensure that the application is performing as expected.

  • Deployment

Server configuration review and also known as network configuration review .Once the application is ready to go live, it is deployed on a production server in this phase. If it is developed for a client, the deployment happens in a client premise or datacenter where there client wants to get the application installed.

for more details click here to refer.

How to implement a S-SDLC

  • Secure policies and procedures
  • Get the support of all project stakeholders
  • Proper incident management policies
  • User training
  • Focus attention on architecture as much as on bugs
  • Provide security training for everyone who are directly involved in SDLC
  • Get the involvement of senior executives and middle management
  • Clients can sign SLA asking for security from application vendors

Aspects of Software Security

  • Code level security and user input verification
  • Different in programming languages and operating systems
  • Cryptography
  • Access control mechanisms
  • Security on data-at-rest
  • Security on data-transport
  • Penetration testing and vulnerability assessment

Is Software Security Costly?

There are two answers for this question. On is YES. if you only look at the cost from requirement capture to ship.

Another answer is NO. If you are considering total cost which includes requirement capture to ship and cost associated after deployment such as fixing bugs doing revisions.

What do we want to protect using the software security?

  1. Data Loss – This basically means that sensitive data is lost due to security breach. In other words due to a vulnerability in the system someone cracked the system and made an important data disappeared.
  2. Data Inconsistency – This occurs when data is manipulated by unauthorized attackers and become inconsistent. Attackers can impersonate as someone else and perform unauthorized actions.
  3. Data Leak – This occurs when the sensitive data is stolen and made it available to unauthorized recipients such as credit card information, contact details. Imagine your own credit card details are in the hands of some hackers.
  4. Disruption of Service – This is when the system activity is disrupted due to attackers actions. In this case it may be nothing to do with system data but system go down. The bottom line is the attacker wants the system to stop working.

This is the end of the “Introduction to Software Security” article. Thank you for reading. If you are interesting on my article, make sure to follow my other articles as well. Make sure to leave a comment.

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x