Software vulnerabilities have been widespread since the early days of the Internet. Passwords are often stored in code as plain text, and systems frequently leak information through error messages. While technology continues to get more sophisticated, hacking techniques are getting more complex. With hackers constantly scanning for exploitable software vulnerabilities, it’s critical to address issues throughout the software development process, especially for companies using and storing sensitive customer information.
Almost all of the most common vulnerabilities involve the areas of a site where users can enter or receive data, such as login screens, portals taking users to software, pages with input forms, and display screens. The most prominent vulnerability in 2017 was injection, where hackers were able to input hostile code into a website. When interpreted by the website, injection has catastrophic effects due to a lack of safeguards employed by the site. A similar technique is called broken authentication, which allows hackers to bypass the mechanisms we use to identify ourselves digitally, giving the hacker full access to user accounts.
There are numerous known software vulnerabilities, and it requires years of training and experience for a developer easily identify these threats within lines of code. Most security programs use a top ten list compiled every three years by the Open Web Application Security Project (OWASP) to know which security vulnerabilities they should be watching out for. This list is considered a standard software security is measured by, but as there are far more than ten known vulnerabilities targeted by hackers, it’s not comprehensive.
The best way to prevent software vulnerabilities is to avoid creating them in the first place, but inadequate developer training combined with a reactive software development process can make this difficult. While automated code scanners do exist, they’re essentially useless in the hands of a developer who doesn’t know how to understand and fix the issues they find. Companies looking to beef up their software security programs may want to start with three basic areas.
Software vulnerabilities begin and end with software developers. Instead of fixing things once they’re already live, investing in training developers not to create them in the first place can be far more impactful and cost effective. With the rapidly changing pace of technology and cybersecurity threats, colleges are frequently behind on teaching developers to fix common security concerns. Encouraging a base level of security knowledge is helpful. The rapidly changing landscape also means training will need to continue periodically for all developers regardless of skill or experience level.
There are a number of automated tools to scan code for vulnerabilities. Some are static analyzers which are most impactful when used early in the development process. Other tools offer a dynamic analysis of the user interface by exercising the application and testing it for weak spots through the user interface. However, tools are limited in their effectiveness by the business needs which shape different interfaces. While these tools are certainly necessary as a part of any security program, no tool can accurately find every weakness. Experienced, trained developers can help fill in the blanks by performing manual peer reviews.
Software Development Procedures
From requirements to deployment, every step of the software development cycle has the potential to create security issues. Often, security is the last thing on the agenda due to budget and timeline restraints. Incorporating it into the process from the very beginning—known within the industry as “shifting left,” may help reduce the amount of damage control required at the end, and reduce costs.
Once a vulnerability has been identified, development should be paused until it can be addressed. Ideally, it would be the responsibility of the whole team to keep buggy code from being deployed. Shifting the culture to prioritize safety helps prevent that.
We’re Here to Help
For more information about software vulnerabilities and how you can help protect your organization from cyberthreats, contact your Moss Adams professional.