Vulnerabilities are related to:
- physical environment of the system
- the personnel
- administration procedures and security measures within the organization
- business operation and service delivery
- communication equipment and facilities
- peripheral devices
- and their combinations.
It is evident that a pure technical approach cannot even protect physical assets: one should have administrative procedure to let maintenance personnel to enter the facilities and people with adequate knowledge of the procedures, motivated to follow it with proper care.
Four examples of vulnerability exploits:
- an attacker finds and uses an overflow weakness to install malware to export sensitive data;
- an attacker convinces a user to open an email message with attached malware;
- an insider copies a hardened, encrypted program onto a thumb drive and cracks it at home;
- a flood damages one’s computer systems installed at ground floor.
Common types of software flaws that lead to vulnerabilities include:
- Memory safety violations, such as:
- Input validation errors, such as:
- Code injection
- Cross-site scripting in web applications
- Directory traversal
- E-mail injection
- Format string attacks
- HTTP header injection
- HTTP response splitting
- SQL injection
- Privilege-confusion bugs, such as:
- Cross-site request forgery in web applications
- FTP bounce attack
- Privilege escalation
- Race conditions, such as:
- Symlink races
- Time-of-check-to-time-of-use bugs
- Side-channel attack
- Timing attack
- User interface failures, such as:
- Blaming the Victim prompting a user to make a security decision without giving the user enough information to answer it
- Race Conditions
- Warning fatigue or user conditioning.
Some set of coding guidelines have been developed and a large number of static code analysers has been used to verify that the code follows the guidelines.
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?