Software Vulnerability and Security
A software vulnerability is a loophole or glitch or flaw or weakness present in the software or application or operating system. Every system has its own vulnerability let it be android, Linux, windows, Flash player, Adobe, etc.
There are many ways to find out those vulnerabilities such as scanning, injecting, scripting etc. Through scanning the web application, you can find the hole in the website or application and through scanning the physical system, you can identify the operating system and other application vulnerabilities.
An attacker can exploit a vulnerability in software or application to steal or manipulate sensitive and critical data or information, can join the system to a botnet, install a backdoor, or plant other types of malwares, trojans etc. Also, after penetration into one network host, the attacker could use that host to breakdown into other hosts on the same network.
To avoid, software vulnerability, Software developers must learn secure coding best practices, and automatic as well as manual security testing must be carried out during the entire software development process.
Some important software vulnerability are such as;
Buffer Overflow:
This Vulnerability occurs when a program tries to add more data is put in the fixed length buffer than its storage capacity allows. As a result, it can crash the program, corrupt data, and even cause the execution of malicious code. Coding errors are typically the cause of buffer overflow and mainly the languages like C, C++, Java are responsible for this kind of glitch.
To avoid buffer overflow, developers of applications should avoid standard library functions in C/C++ that are not bounds-checked, such as strcpy, gets, strncat() and scanf.
Sensitive Data Exposure:
Sensitive data such as addresses, passwords, and account numbers must be correctly protected. If it isn't, untrustworthy agents gain access to the sensitive data.
Broken Authentication
Authentication and session management application functions need to be executed correctly.
Security Misconfiguration
Security misconfiguration are often result of insecure default configuration, misconfigured HTTP headers, unnecessary HTTP methods. Attackers can exploit security misconfigurations to gain knowledge of the application and API components during their reconnaissance phase.
To avoid this flaw following points need to considered.
- Do not use vendor or OEM supplied defaults for system passwords and other security parameters.
- Modify the password policy by enabling enforcement, setting maximum duration to 90 days or less.
- Protect all systems against malware and regularly update software.
- Configure the BIG-IP ASM security policy to blacklist, safe guard your account.
Considering the software development life cycle and attack scenarios, OWASP Top 10 vulnerability came in to picture to provide more in depth security posture of software and applications.
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.
All OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security.
Just in a brief, below is the list of OWASP Top 10 Vulnerabilities.
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failures
- A03:2021-Injection
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failures
- A10:2021-Server-Side Request Forgery
You can refer to OWASP website for further details.
-DR
No comments:
Post a Comment