Software Vulnerabililties

.docx

School

American University *

*We aren’t endorsed by this school

Course

449

Subject

Computer Science

Date

Apr 3, 2024

Type

docx

Pages

Uploaded by SargentRabbit2376

Name: Oluwaseun O. Obikoya Class: Secure Software Development (CSC 449-001, CSC 649-001) Lecturer: Dr. Charles Pak Software Vulnerabilities What are Software Vulnerabilities? First of all, I would like to define what they mean separately. First and foremost, Software can be defined by the Merriam-Webster dictionary as “something used or associated with and usually contrasted with hardware: such as programs for a computer.” While the definition of vulnerable is defined by the Merriam-Webster dictionary as “capable of being physically or emotionally wounded.” Therefore, Software Vulnerability is known is a weakness which can be exploited by someone known as a threat actor, such as an attacker, to cross privilege boundaries (i.e., perform unauthorized actions) within a computer system. For vulnerability to be exploited an attacker must have one applicable tool that can connect to a systems weakness. Attack surface are also known as software vulnerability. “In its broadest sense, the term ‘vulnerability’ is associated with some violation of a security policy. This may be due to weak security rules, or it may be that there is a problem within the software itself. In theory, all computer systems have vulnerabilities; whether or not they are serious depends on whether or not they are used to cause damage to the system.” (kaspersky encyclopedia) This shows that software vulnerability is easily done or accessed when computer systems have weak security. Software is known to be instructions that give computers instructions on what to do. Software’s are known to constitute with an integrated set of procedures, programs and most especially routines associated with the daily operation of a computer. This term was coined to discern these instructions from hardware i.e., which are the physical components of a computer system. Instructions that direct a computer’s hardware which gives it specific task to perform is known as program which is also known as software program. There are two main software’s we look at and they are called application software and system software. In the aspect of system software this controls the internal function of a computer through the operating system and can also control such items as the monitor, storage devices and printers. On the other hand, Application software includes applications like word processors, spreadsheets, database management, inventory and payroll programs, as well some many other applications. Network software is the third software category that organizes communication between a linked network and computers. It’s known that typically software is stored on an externally long-term memory (storage) device such as magnetic diskette and a hard drive. When a program is said to be in use, the computer reads it from the storage device and temporarily places the instructions in what is known as the random-access memory (RAM). The process of storing and then performing the instructions is called “running,” or “executing,” a program. By contrast, software programs and procedures that are permanently stored in a computer’s memory using a read-only (ROM) technology are called firmware, or “hard software.” Risk Factor Models

Resources whether physical or logical tend to have one or more vulnerabilities which can be exploited by what we call threat actors. The result from this as we well know can possibly ruin the availability, integrity or confidentiality of resources which may belong to an organization and/or parties that may be involved. For an attack to be active is when there is an attempt to alter their resources for their systems that may affect their operation which has the tendency to comprise the availability or integrity of the system. On the other hand, a passive attack can be considered to help learn or also make use of the information from the systems, but it is noted that this does not affect the system resources neither does it affect the compromising confidentiality. OWASP is a diagram that depicts a similar phenomenon but in different terms: in addition, a threat agent through an attack can be able to exploit weaknesses of any system with the related security controls that causes it to have a technical fault on any IT resource (asset) that maybe connected to the impact of the business. OWASP: relationship between threat agent and business impact Information Security Management System: ISMS (information Security Management System) are a set of policies that have been developed to help manage, according to the principles that have to do with risk management, there has been a countermeasure to ensure that a security strategy can be setup to follow the rules and regulations that are known to be applicable to any given organization. The countermeasures that are put in place are known as Security controls but when they are applied to a transmission that holds information which is called security services. Classification: Vulnerabilities can be classified according to the assets class that they are known to be related to: 1. Hardware

o susceptibility to humidity or dust  susceptibility to unprotected storage  age-based wear that causes failure  over-heating 2. Software:  Insufficient testing  Insecure Coding  Lack of audit trail  Design flaw 3. Network:  Insecure network architecture  Unprotected communication lines (e.g., lack of cryptography) 4. Personnel:  Insider treat  Inadequate security awareness  Inadequate recruiting process 5. Physical Site:  Interruption to power source  Area subject to natural disasters (e.g., flood, earthquake) 6. Organizational:  Lack of regular audits  Lack of security  Lack of continuity plans Causes: Complexity: Large, this are complex systems that increase the probability of flaws. Familiarity: The use of common, well-known code, operating systems, software, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw. Password management flaws: Users tend to re-use passwords between many programs and websites. Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability Fundamental operating systems design flaws: This operating system flaw allows viruses and malware to execute commands on behalf of the administrator. Internet Website Browsing: After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals. Unchecked user input: The program assumes that all user input is safe. Software bugs: The software bug may allow an attacker to misuse an application. Vulnerability consequence: It is known that the impacts on security breaches can be very high. IT managers or the upper management team for a fact have been known to be aware that applications and IT systems

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version