Software refers to programs and related data that instruct a computer system to perform tasks.
Errorrs in programs could lead to security vulnerabilities. For example:
- Integrity violations
- Incorrect outputs
- Unauthorized data modification
- Opportunities for attackers to exploit programs
Program security issues commonly arise from:
- Buffer overflows
- Improper input validation
- Unsafe libraries
- Injection attacks
- Malware
- Unsafe temporary files
If temporary files (created and used by programs for short-term) have predictable filenames and allow unauthorized access, attackers might be able to exploit that. Random filenames with restricted permissions must be employed.
Secure development requires:
- Safe coding practices
- Security testing
- Proper system design principles
Secure Coding Practices
Top recommended practices:
- Validate input
- Follow compiler warnings
- Design security architecture
- Keep systems simple
- Default deny access
- Apply least privilege
- Sanitize data sent to other systems
- Use defense-in-depth
- Perform quality assurance testing
- Adopt secure coding standards
Testing Techniques
Common security testing methods:
- Unit testing
- Integration testing
- Performance testing
- Regression testing
- Penetration testing
Fuzz Testing
Fuzzing is a testing technique that feeds random inputs to a program to detect vulnerabilities.
Advantages:
- Simple
- Low cost
- Reveals unexpected input errors
Limitation:
- May miss bugs triggered by specific inputs.
Security Design Principles
Key principles:
- Least privilege
- Economy of mechanism
- Open design
- Complete mediation
- Separation of privilege
- Ease of use
Examples
Heartbleed Vulnerability
A vulnerability in OpenSSL allowing attackers to read server memory.
The TLS heartbeat implementation failed to verify payload length.
Attackers could retrieve up to 64 KB of memory including:
- Secret keys
- Passwords
- Session data