SOFTWARE SECURITY

What is Software Security?

The word Security refers to “the state of being free from danger or threat”. Security plays a vital role as it makes a huge impact on software systems. Security breaches create not only revenue losses, but also other long term consequences such as diminishing reputation, losing customer trust etc.

Software Security is the creation of well secured software systems with intrinsic defense that will operate smoothly without being subjected to malicious attacks for the users and owners of the software. Security of the system must be ensured at the each phase of software development life cycle. The main purpose of ensuring security is to minimalize and avoid the defects at earliest.

Software Security Techniques

Use of Software Security Techniques in software development processes uplift the quality and the safety of a software that provides an accurate, reliable and predictable behavior.

🔸 Sandboxing

Sandboxing is a practice used when securing the systems by executing, analyzing and reviewing the code in a safe and isolated environment that is similar to an end-user operating environment.

🔸 Secure Coding

Secure coding is referred to as the practice of writing programs that are considered to be protected from vulnerabilities.

🔸 Penetration Testing

Penetration Testing is the practice of testing a computer system to check if the system is vulnerable to exploitations of the attackers.

🔸 Understanding attack surface

This involves keeping track of different points where unauthorized users can attempt to enter information to or remove information from an environment.

🔸 Code Auditing

Code auditing is a the practice of analyzing the source code thoroughly with the purpose of identifying defects, bugs or security breaches.

🔸 Defense in Depth

It can be known as a mechanism that is utilized to protect a system from attacks using various independent methods.

Application Security Vs Software Security

There are 2 main classifications in secure software development namely Application Security and Software Security. Let us observe the main differences between them.

Types of Attacks

There are mainly 5 types of attacks.

1. Leakage — Reveals sensitive data such as details of the application.
2. Tampering — Modifying data and information via unauthorized channels.
3. Vandalism — Destroying and causing permanent damage to data.
4. Resource Stealing — Accessing resources without authorizations.
5. Denial of Service —Making a system inaccessible to its users.

Methods of Attacks

1. Malware : Software designed to infiltrate or damage a computer system without the owner’s permission.

2. Phishing : A type of social engineering attack that is used to steal user data.

3. Brute-force attacks : A cryptographic hack that depends on guessing possible combinations of a selected password until the right password is found.

4. SQL Injections : It uses a malicious SQL code for backend database manipulation in order to get unauthorized information.

5. Man-In-The-Middle (MITM) attacks : A perpetrator keeps himself in between a conversation with a user and an application with the purpose of eavesdropping or impersonating to make it feel real.

6. Cross-Site Scripting (XSS) : This exploits vulnerabilities in a web application through injecting malicious code into the browser of the user.

Cryptography

The word ‘crypt’ stands for hidden and ‘graphy’ means writing. Cryptography is a technique for securing data and communications using codes, so that it can be read and processed only by those for whom the information is. It deals with developing and analyzing protocols which aids in preventing malicious third parties from recovering the shared data and information between two entities thereby using different aspects of information security.

The core principles of modern-day cryptography are as follows.

1. Confidentiality — Information cannot be understood by anyone for whom it was not intended
2. Data Integrity — Ensuring that the information have not altered while storing or transiting between sender and intended receiver.
3. Authentication — A process by which you verify that someone is who they claim they are.
4. Non-repudiation — Ability to make sure that the creator/sender of the information cannot deny his or her intentions in the creation or transmission of the information at a later stage

There are 2 main algorithms in cryptography.

1. Symmetric Cryptosystem — Private key algorithm. Ex: DES
2. Asymmetric Cryptosystem — Public key algorithm. Ex: RSA

Private Key : This key must be known only by its owner.

Public Key : This key is known to everyone since it is public.

Relation between both keys : One key encrypts, while the other key decrypts and vice versa.

Private Key / Secret Key Algorithm

In this algorithm, same key is used for both encryption and decryption.

Public Key Algorithm

A public key algorithm consists of a public key (B) that is used to crypt a message and a private key (A) used to decrypt the message. There is only one private key (A1, B1) for one public key. Only the private key that belongs to the public key can decrypt a message encrypted by the public key.

Difference between Public key and Private Key

Encryption

Encryption is used to protect the confidentiality of information when it must be resided or transmitted through unsafe environments. It transforms data which cannot be understood by unauthorized users. Encryption is also used for “digital signatures” to authenticate the origin of messages or data.

Hashing

Hashing is a one-way function that uses an algorithm to map data of any size to a fixed length. This is known as the hash value. Hash values are unique. By any chance if two files produce the same hash value, a collision occurs. Hash values cannot be reverted into their original values.

Common Hashing Algorithms

🟢 MD4 — This is a message digest algorithm that implements a cryptographic hash function in order to check message integrity.

🟢 SHA — This stands for Security Hashing Algorithm that takes an input that can be any random size, and produce an output that has a fixed size.

🟢 WHIRLPOOL — This produces 512-bit hashes that are typically represented as 128-digit hexadecimal numbers.

🟢 TIGER — This is designed to be very fast and efficient on modern 64-bit computers.

Salting

It is a concept related to password hashing. Basically, it is considered as a unique value that can be added to the end of the password in order to create a different hash value. This adds an extra layer of security to the hashing process. It is an act of complicating the password cracking process by adding a salt to the end of a password and then hashing it.

Social Engineering

Social engineering is a technique in exploiting human psychology with the purpose of gaining access to buildings, systems or sensitive data without using any technical hacking methods.

Social engineering attack techniques

Social engineering attacks can come in many different forms. Some of the social engineering attack techniques are as follows.

Scareware

Scareware is malicious software that influences computer users into visiting malware-infested websites.

Pretexting

Pretexting is a method used by attackers by creating a scenario in order to ensure the users to give up valuable information, such as passwords.

Baiting

It involves offering something tempting to a user for login information or private data.

References

8 Types of Security Attacks and How to Prevent Them - ManageWP

The difference between Encryption, Hashing and Salting