Security Issues in Software Development

Abstract

With the complex and the fast-pace of the software development lifecycle, software engineering under a huge pressure to deliver the business requirements without paying too much attention to the security breaches that the software might encountered. With such security problems business will have a problem to deliver the business continuity and availability required by its customers. For example, in client/server systems where data is distributed across multiple servers and sites, it’s impractical to implement a centralised security that can deal with all the security threats issues related to the client and the server. The chances of such distributed system and services to be vulnerable to damages from viruses, and misuse in general, to other scenarios such as Denial of Service attacks (Wilson and Craske, 1999).

Wilson and Craske (1999) explained that with the Client/Server mechanism, the client machines most of the time pose a threat to security where it can shift such threat to the server security and its data. The same problem can be created with the web servers where client usually access such server via a request by the web browsers, and via protocols that can be invade it by the attackers that can compromise the security models implemented by the web servers. To secure such communications in both ends, four basic principles should be implemented (Trusted Computing Base – TCB):

  • Authorization and Identification must be implemented (Authentications).
  • Discretionary control must be available.
  • Audit procedures and policy should be implemented.
  • Object re-use concept must be implemented.

Securing a communication between the client and the server within the client/server and over the web; starts from securing the client side and its applications. Security issues in the client side can exist on the browser side in software such as Microsoft Internet Explorer (IE) and on the server side in software such as Microsoft Internet Services (IIS) (Wilson and Craske, 1999). 

Some of the application vulnerabilities can exist within the computer applications and how it’s implemented. For example, there are many security issues that can be created within the web applications when incorrect configurations implemented within the Web.config (ASP.Net) that can open many security holes such as session hijacking, disclosing of private data to the attackers or can create a cross-site scripting attacks (Sullivan, 2007).    

IIS Security Issues

Claburn (2009) explained that Internet Information Server (IIS) had many vulnerability issues in the past that affected a lot of organizations and small business, and some of these vulnerabilities are:

  •  Denial-of-Service attacks – such attack is related to a stack overflow in the IIS FTP module. When IIS is configured to allow anonymous FTP, the attackers could log in and create a long directory name that can create an overflow condition. The solution for such problem as suggested by Microsoft is to turn off the FTP serves unless it is needed. Also, IIS should be implemented to prevent the creation of new directories.
  •  An Elevation of privilege attacks – such attack is launched by creating crafted anonymous HTTP that can request to gain access to a location that usually requires authentication. Such attack can be mitigated by enforcing the file system based ACL where the attacker will be restricted to the permissions granted to the anonymous user account within the system.
  •  Zero-day attacks – such attack exploit code that can be used to create Denial of Service (DoS) condition on Windows Server 2003 and Windows XP without requiring write access to the server file systems. To mitigate such attack, the NTFS file system need to be modified to disallow the directory creation by FTP users and also disallow FTP write access to anonymous users (Prince, 2009).
  •  File Transfer Protocol (FTP) attacks – such attack will happen when a certain code runs to install unauthorized software on the IIS. Such attack can happen only when the FTP is enabled, and as such; the attacks can be mitigated by disable the FTP capability on the IIS (Protalinski, 2009).

IE Security Issues

Prince (2007) explained that Internet Explorer (IE) is used by many users cross the world, and such client application faces many security threats that can compromise the user’s computer and the server security. Some of the security threats that IE faces over the past years are:

  • Crafted script (phishing site) attack – Such attack will create a crafted html local resource link with a script that will display a fake content of a trusted site. Once the link is clicked, it will display “Navigation Cancelled” page to push the victim to refresh the page, and the attack will provide the fake content to the user. To avoid such attack, users must be aware of the attack and don’t trust the “Navigation Cancelled”.
  • Inline Frames Attack – such attack happen via iframes where such frames are used to serve web ads which comes from different domain than the content that appears on the same web page. Such iframes don’t have restricted access to a document’s frames within the Internet Explorer and as such, attackers can modify the contents of the iframes to direct users to different domains (Claburn, 2009).
  •  Code Execution Attack – such attack happens when the attackers code host a malicious crafted web page and run the code if the user was convinced to visit the web page, and press the F1 key to response to a pop-up page (Naraine, 2010).
  •  System File Attack – Such attack can be initiated based on a system file that is part of the Windows system files. In such attack the attacker will take control over the user’s computer via IE feature that lets the browsers control other Microsoft applications which run under a Windows system. Such control will be gained by the attacker during the user’s visit to the attacker’s web site (Thurrott, 2005).    

Conclusion

Computer applications and software are always exposed to many attacks, and as such; there are a lot to be done to avoid such threats that can comprise users’ information and organizations confidentiality. That said, computer systems need to be up to date with security patches. Also, developers have a big role in securing such applications and preventing security holes from exposing important information for the attackers to use. It is imperative to maintain a security model that can be implemented around the development of the software and application lifecycle. Such model should be based on the lesson learned and on the security models that can prevent future attacks.

Finally, attackers will always find their way to the security gaps within any application and software, and it’s important for such application and software to follow all the security updates and patches to prevent such threat to the computer systems.

References

Claburn, T. (2009) Microsoft Expands IIS Vulnerability Warning [Online]. Available from:http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=219501448 (Accessed: 06 November 2010).

Claburn, T. (2009) Microsoft Internet Explorer Vulnerability Warning Issued [Online]. Available from:http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=208801757 (Accessed: 06 November 2010).

Naraine, R. (2010) Microsoft Investigating new IE browser vulnerability [Online]. Available from: http://www.zdnet.com/blog/security/microsoft-investigating-new-ie-browser-vulnerability/5560 (Accessed: 06 November 2010).

Prince, B (2009) Microsoft IIS Vulnerability Get Hit By Attacks [Online]. Available from: http://www.eweekeurope.co.uk/news/news-security/microsoft-iis-vulnerability-gets-hit-by-attacks-1767 (Accessed: 06 November 2010).

Prince, B. (2007) Microsoft Investigates IE 7 Vulnerability [Online]. Available from: http://www.eweek.com/c/a/Security/Microsoft-Investigates-IE-7-Vulnerability/ (Accessed: 06 November 2010).

Protalinski, E. (2009) IIS vulnerability under limited attacks [Online]. Available from: http://arstechnica.com/microsoft/news/2009/09/microsoft-investigating-possible-vulnerability-in-iis.ars (Accessed: 06 November 2010).

Sullivan, B. (2007) Top 10 Application security Vulnerabilities [Online]. Available from: http://www.developerfusion.com/article/6745/top-10-application-security-vulnerabilities-in-webconfig-files-part-two/ (Accessed: 06 November 2010).

Thurrott, P (2005) Microsoft Preps Fix for Latest IE Vulnerability [Online]. Available from: http://www.windowsitpro.com/article/internet/microsoft-preps-fix-for-latest-ie-vulnerability.aspx (Accessed: 06 November 2010).

Wilson, I.& Craske, N. (1999) Client/Server Security issues [Online]. Available from: http://www.melbpc.org.au/pcupdate/9908/9908article8.htm (Accessed: 06 November 2010).

 

 

 

 

 

Advertisements

2 Comments »

  1. Hey! Someone in my Facebook group shared this site with us so I
    came to look it over. I’m definitely loving the information. I’m bookmarking and will
    be tweeting this to my followers! Wonderful blog and wonderful style and design.

  2. We absolutely love your blog and find most of your post’s to be precisely what I’m
    looking for. Do you offer guest writers to write content
    for yourself? I wouldn’t mind writing a post or elaborating on a lot of the subjects you write in relation to here. Again, awesome web site!


RSS Feed for this entry

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: