Explain that some software development problems result in software that is difficult or impossible to deploy in a secure fashion. There are at least two dozen problem areas or categories in software development (which is also called software engineering) that are recommended to be summarized to students.

Describe SQL injection as it occurs when developers fail to properly validate user input before using it to query a relational database. The possible effects of the ability to “inject” SQL of the attacker’s choosing into the program are not just limited to improper access to information but could potentially allow an attacker to drop tables or even shut down the database.

Mention to students that the same cross-site scripting attacks that can infect a client system can also be used to attack Web servers. Cross-site request forgery (XSRF or CSRF) attacks and scripting cause users to attack servers they access legitimately.

Discuss Web client-related vulnerability (XSS). Client-side cross-site scripting errors can cause problems that allow an attacker to send malicious code to the user’s computer by inserting the script into a normal Web site.

• Describe the use of magic URLs and hidden forms.
• Because HTTP is a stateless protocol and computer programs on either end of the communication channel cannot rely on guaranteed delivery of any message, it is difficult for software developers to track a user’s exchanges with a Web site over multiple interactions.
• Too often, sensitive state information is simply included in a “magic” URL (e.g., the authentication ID is passed as a parameter in the URL for the exchanges that will follow) or included in hidden form fields on the HTML page.
• If this information is stored as plain text, an attacker can harvest the information from a magic URL as it travels across the network or use scripts on the client to modify information in hidden form fields.

Detail what buffer overruns are and how they occur. This is a situation in which buffers are used when there is a mismatch in the processing rates between two entities involved in a communication process. A buffer overrun (or buffer overflow) is an application error that occurs when more data is sent to a program buffer than it is designed to handle. During a buffer overrun, an attacker can make the target system execute instructions, or the attacker can take advantage of some other unintended consequence of the failure.

Illustrate format string problems and the reason that they occur. Computer languages are often equipped with built-in capabilities to reformat data while they are outputting it. The formatting instructions are usually written as a “format string.” An attacker may embed characters meaningful as formatting directives into malicious input. If this input is then interpreted by the program as formatting directives, the attacker may be able to access information or overwrite very targeted portions of the program’s stack with data of the attacker’s choosing.

Discuss integer bugs (overflows/underflows). Although paperandpencil can deal with arbitrary numbers of digits, the binary representations used by computers are of a particular fixed length. “Integer bugs fall into four broad classes: overflows, underflows, truncations, and signedness errors. Integer bugs are usually exploited indirectly—that is, triggering an integer bug enables an attacker to corrupt other areas of memory, gaining control of an application.”

Summarize the occurrence of C++ catastrophes. Note that this programming language has been around for nearly 40 years, and due to its age, security concerns have arisen. Since operating systems have API that use these pointers to control execution code, they are susceptible to diverting program flows and open the door for a hacker to take them over.

Explain that effective software can catch and resolve exceptions, which are unusual situations that require special processing.

Define command injection and explain that command injection problems occur when user input is passed directly to a compiler or interpreter. The underlying issue is the developer’s failure to ensure that command input is validated before it is used in the program.

Comprehend that failure to handle errors can cause a variety of unexpected system behaviors. Programmers are expected to anticipate problems and prepare their application code to handle them.

Analyze that information leakage is one of the most common methods of obtaining inside and classified information that is directly or indirectly from an individual, usually an employee. By warning employees against disclosing information, organizations can protect the secrecy of their operation.

Justify that a race condition is the failure of a program that occurs when an unexpected ordering of events in the execution of the program results in a conflict over access to the same system resource.

Stress that employees prefer to do things “the easy way” when the official way is too difficult or cumbersome to complete. They must be reminded that there is only one way to do things—the secure way! If users choose the easier way, they are likely to experience loss of some kind very quickly.

Relate that the complexity of updating applications and/or systems increases over time, and without catching the errors, they become harder to find. As a result, hackers can sneak in through those vulnerabilities and, as a result, create an urgent security risk.

Recall that when computers have more privileges than they need, this sets up numerous critical security issues. One of the greatest concerns in this area occurs when individuals download and run code from public sources, like Web sites.

Distinguish the fact that mobile code is an application, applet, macro, or script that may be imbedded in another application or document and thus downloaded and executed without the user even knowing, and especially without consenting. This potentially results in a security risk from occurring as well.

Apply the process of cryptography and how weak passwords are an open door for hackers and viruses to work their way into systems. As one of many safeguards to protect access, administrators should limit the number of attempts an incorrect password is entered.

Discuss the failure to use cryptographically strong random numbers. Many computer systems use random number generators. These “random” number generators use a mathematical algorithm, based on a seed value and another system component (such as the computer clock), to simulate a random number. Those who understand the workings of such a “random” number generator can predict values at particular times.

Emphasize that cryptography is a powerful tool to protect information, especially information that may travel outside the organization’s protective networks and systems. Using untested or undertested cryptographic algorithms and programs can cause issues. Using weak crypto keys or reusing the same crypto keys can cause issues, as can sending crypto keys through the same medium as the encrypted messages.

Describe the failure to protect network traffic and explain that with the growing popularity of wireless networking comes a corresponding increase in the risk that wirelessly transmitted data will be intercepted. Most wireless networks are installed and operated with little or no protection for the information that is broadcast between the client and the network wireless access point. Without appropriate encryption (such as that afforded by WPA), attackers can intercept and view your data. Traffic on a wired network is also vulnerable to interception in some situations.

Discuss the improper use of SSL. Programmers use Secure Sockets Layer (SSL) to transfer sensitive data such as credit card numbers and other personal information between a client and server. SSL and its successor, Transport Layer Security (TLS), both need certificate validation to be utterly secure. Failure to use secure HTTP, to validate the certificate authority and then validate the certificate itself, or to validate the information against a certificate revocation list (CRL), can compromise the security of SSL traffic.

Explain that the DNS is a core function of the Internet and World Wide Web and that it is subject to cache poisoning. In other words, when the DNS is compromised, the valid IP address associated with a domain name change into one the attacker chooses, usually a fake Web site designed to obtain personal information or one that accrues a benefit to the attacker—for example, redirecting shoppers from a competitor’s site. This may include additional attacks to other primary and secondary DNS servers linked to a specific domain.

Stress the issue of neglecting change control. Developers use a process known as change control to ensure that the working system delivered to users represents the intent of the developers. Change control processes ensure that developers do not work at cross purposes by altering the same programs or parts of programs at the same time. They also ensure that only authorized changes are introduced and that all changes are adequately tested before being released.