Largest Problem In Software Security Computer Science

The largest problem in Software security today is that many security developers don't know what is the actual problems are. Can saying as is the software itself. You may have the world's better firewall, but if you let the attackers access the software systems via the firewall and the code is remotely exploitable, then the firewall will like worthless at all. (Viega, 2001)

According to (Viega, 2001) many security developers not very understand the software security and it real purpose and usage, therefore, will cause problems like the result of bad software design and implementation. So, understand and know the software security purpose and usage, it may be let the developers achieve well in development the software systems.

Software Security is important in global environment. National Institute of Standards (NIST) reported that $59.5 billion was spending annually in breakdowns and repairs of faulty software. And they also found out 92 % of all security weakness deal with application vulnerabilities and not network vulnerabilities. (Idongesit, 2007) On the other hand, Software Security (Goertzel, 2009) implements with in life-cycle to avoid exceptions in the security policy via design, upgrade, development, deployment or maintenance of the application. Application managed data and those data is produced by user of using application.

According to the new trend, our life and information technology are unrestrained

.Software security is important to every organization and industry. Since, most of the process depends on software application, so according to (Idongesit, 2007) security and quality improvement is the primary concern for all software developers, project managers and so on. If software security is always weak, they will spend a lot of cost to solve the problems. It will cause the government and industry losing money and potential investors. Besides that, before create any technology systems developer should have efficient software security protection to prevent any malicious attack such as Trojan horse, malware, spyware, adware and so on. And also needs to know the malicious attack very well, because understand the malicious attack well, it will more easy to solve the problems also. So, the developers itself must have high -level knowledge to solve the problems, have the more high software security knowledge will can implement the more secure software systems.

Why is Software Security Crucially Important?

Nowadays, many organizations use different software to process, store and transmit their most important information via directly connected to the Internet. An example, private citizens financial transactions are exposed via the Internet used do banking, pay taxes, buy insurance, shop, invest, and join any organization or social network. That means their private information will be vulnerable to unauthorized use.

Furthermore, most of the systems are not attack resistant or attack flexible enough to withstand them. At the same time, the period of information war and the computer crime is well under way. Terrorists, organized and other criminal are trying to access some organization or government systems to get the important information to exchange benefits with other government or organization.

And then, also have many fresh attackers come out, because have a lot professional attacker's education that who have interested to become the attacker. So, the software systems must have enough ability to prevent the more attackers. Example, now very popular social network services facebook also have many attackers wish can access or get the customer secret data to let they obtain many as many profit as possible. So, the facebook organization, they will always change the software security as possible as rapidly, because it can protect the secret data, if the customers' data very easily to let the attackers to obtain, then the facebook organization image will reduce, and the organization of the benefit will reduce also.

On the other hand, a lot of people use the facebook to exchange their photos or secret data via the Internet, but they didn't detect their data may be unauthorized use already. The attackers have their data; they can do the badness things. So, everyone who have use the Internet must very careful and the developers must have responsibility to avoid the problems occurs.

The most serious problem are many courtiers have their own spy, they will unauthorized to access the other National Defense Association database to obtain the national important documents or change their important documents or status to let other county become mess up, and it may cause war between their counties.

In short, software security capability and employees knowledge of the organization must be increased also and because it can be decrease the malicious attack with other organized crime and terrorist. By using Software Security, technology can avoid some unnecessary war or criminal and also can prevent attackers to reduce a system's information assurance. The most important is improving the software security into organization or National Defense Associates; also can reduce any loss and can reduce the unwanted war.

The Problem and Issues In Software Security

Nowadays, why so many software so easy to let the attackers to a malicious attack, because those software existence many vulnerabilities, which can be use to attack the software more easily. According to CERT, most successful attacks results are non-repair software vulnerabilities and insecure software configurations and so on. List below are some problems and issues often occurs:

Vulnerabilities

Vulnerabilities is a weakness which allows attackers to reduce a software system assurance and a failure is name as security vulnerable (Landwehr, 2008) it may outcome in denial of service, unauthorized disclosure, unauthorized destruction of data, or unauthorized modification of data.

Denial of service - it to avoid the usage of the software. The most general is Exhaust System Resource, it will because the system does not provide any correct resources to the users.

Unauthorized disclosure -take out the customer data or passwords in the unauthorized. Nowadays, most common attack is via to database or web sites, often the password is in the form of encrypted.

Unauthorized destruction of data - destroys the data and blocks others using it. In addition to destroy the data, configuration may be let the system become default or unsafe status, after that may be used by the attackers.

Unauthorized modification of data - the data is not destroying but is change the data to match the attackers' needs. This is the most serious outcome and often need attackers gains full access to the systems.

Non -Conformances (unmatched) or a Failure To Satisfy Requirements

Non - conformances or a failure to satisfy requirements is the more general problems are coding error, defect and input validation error. The most important point about non- conformances are that validation and verify techniques are design to avoid attacked. If can improved the techniques, it will advantage to the security of software.

Errors or Missing In Software Requirements

Occurs when development the system but the software requirements are incorrect, unsuitable, or incomplete for the system condition. Unluckily, errors or missing in software requirements are very hard to discover. For example, the software may execute accurate as required while normal use, but may not correctly deal out some system status. When this problem occurs, unacceptable and unexpected behavior may occur. This type of problem cannot settle inside the software discipline; the developers' needs clearly understand the software systems requirements as well.

Bugs, Flaws, and Defects

The software security bug display continues quickly, partially driven by fast growth in Web-based applications. Any properly bug list contain: cross-site scripting, SQL injection, cross-site request forgery, buffer overflows, input validation problems, and so on. (McGraw, 2008) On the other hand, the 50% of software defects leading to security problems are higher-level flaws. (West, 2008)

According to (McGraw, 2008) bug display so fast because the systems via though Internet can access by any hackers easily. But the bug only is 50 % of the problem because according to (West, 2008) software defects' leading to security problem are high level weakness than bugs. The security problems include interposition problems, type safety confusion, insecure auditing, and so on.

Last, when the developers start to development the systems it must very clearly the systems requirement, security problem and other because it can reduce the systems via though the Internet by any malicious attack. But don't forget that lot of security bugs can be found in non-Web software also.

Sql Injection

Figure1 - SQL injection AttackSQL injection attacks is an attack technique that constantly get user-supplied input and then exploit application to construct SQL statement or it, sometimes, can also to backdoor the java application or execute operation system commands. Based on java Application Security Trends Report on Q3-Q4, 2009, it was 32% percent was used by the hacker to attack into database of a java application and gaining unauthorized access by passing authorization and get into database contents. Below is the outcome of SQL injection attack:

Moreover, it will be taken an advantage of the java application to extract or alter information from the database because of the user input does not strictly to character field such as, special characters or validate information contained in web request before using that input directly in SQL queries (Susan Kemedy, 2007). The special characters will execute an unexpected action into the SQL command which act as malicious way. And another advantage for the hacker can get the SQL error message returned by database in order to assist them to enable steal private information, credit card information and other.

Way of Prevent Cause Problems & Issues in Software Security

Consideration and Recommendation

Security policies and procedures authorized should implement for the any organization environment. (Peltier, 2008)The employees should training and not only security protocols, mechanisms and devices. They also need training and focus at security risk management process and the procedures for developing secure software.( Karolak , 2008)

According to (Peltier, 2008) Security policies and procedures are very important and should implement at any organization environment because it can let the organization reduce any unnecessary lost. Furthermore, according to (Karolak, 2008)the employees should understand well at security risk management process and the procedures for developing secure software .Specify trainings include in the phases of software analysis, design, coding and testing. It can improve the level of employees, and then employees will be more understand how to development more secure systems.

Indicate of (Peltier, 2008) major policies and procedures may be solving in human and organization risk factors include:

Security policies

Access control policy

User responsibility

Risk management methodology

Organization structure

Asset identification , classification and acceptable usage

Input/ output validation

Cryptographic control

Physical and environment security

Malicious activity detection and network monitoring

Detecting malicious code in software development

Security architect, design, coding, testing

Training need assessment, plan and feedback

Competence / skill level matrix for all employees

Security awareness program and security education

Security Risks

Human and Organization Factors

Policies and Procedures

Security Requirements

Technical Solution

Secure Software Architecture

Figure 2: Developing security software architecture considering human factors. (Karolak, 2008)

Minimize the Number of High - Consequence Targets

Software should include fewer high - consequence targets (trusted or critical components) as possible, because it can reduce the chance by attacker. It means, if the high - consequence targets as many as possible, then the software will more possible to attack the greatest potential loss will increase also.

Don't Display Weakness and High - Consequence Components

The critical and trusted components should not be uncovered as possible and it will reduce attacked by any chance. On the other hand, known vulnerable component should be protected also because their only needs a little attacker knowledge or effort and resources will can attacked the software easily. It will cause the organization loss at unexpected.

Deny Attackers

The software may not provide any chance to the attackers. The software quality may reduce weakness and vulnerabilities and so on. Furthermore, the software should provide the ability to minimize harm, recover, and restructure the software as quickly as possible. It can prevent the attacker's malicious attack the software as many they wants. In nowadays, this will require monitor, record and respond to how the software behavior. This main principle includes resilience and dependability.

Always Assume "The Possible" Will Occurs

Events that looks like seldom happening, if the software is installed in a new environment, those events may become occur. The use case and scenarios describe for the software what possible views will occur possible, but the software should design to guard such as likely or unlikely events. In the main, developers should always assume that their software will be attacked. Example like the access controls and firewalls must be a mainly development stage of software. Developers should have assumed their software will be attackers possible, so that software will not operate under "normal" status. List below is discuss about developer assumptions: (Goertzel, 2009)

Never make blind assumption - Verify every assumption made by the software or about the software before implement on that assumption.

Security software is not the same as secure software - Software performs information security- related functions not mean the software itself is secured. The function is just including flaws and bugs. However, because security functions are high-consequence, the compromise or intentional failure of such software has a significantly higher potential impact than the compromise or failure of other software.

Static Code Security Checkers

Static code security checkers is analyzing though and scans the source code, and find out potential security problems. The static code security checkers process similar like virus scanners. (Graff, 2003) The goal of static code security checkers is to focus the security analysis. Not is the programmer searching the source with a utility program, the checker software is known of potential problems based on encoded rules and entries in a database. These checkers not just find out the problems and also define the problems and suggestion. (Viega, 2005)

According to (Graff, 2003) and (Viega, 2005), their also measure the static code security checkers is analyzing and scan code and can find out potential security problems. The source code checkers are very effective in detecting security vulnerabilities, but the more advantage point is the security checkers still can define the problems and give some reasonable suggestion to the developers or users. So that, use this software can more easily to find out the problems, and then can reduce the developers and users time to find out the problems.

Prevent Sql Injection

Pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied. One of the prevent sql injection method is prepared statements, is to ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker

List in below is one of example to taught how to prevent, if an attacker were to enter the userID of tom' or '1'='1, the parameterized query would not be vulnerable and would instead look for a username which literally matched the entire string tom' or '1'='1.

String custname = request.getParameter("customerName"); // This should REALLY be validated too

// perform input validation to detect attacks

String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";

PreparedStatement pstmt = connection.prepareStatement( query );pstmt.setString( 1, custname);

ResultSet results = pstmt.executeQuery( );

Software Security In Software Development Life Cycle (SDLC)

Software Security can be ensured if there are secure codes, integrated at the development stage, it can avoid potential vulnerabilities (weakness) such as vulnerability testing, application scanning, and penetration testing are part of the Software Development Life Cycle (Allen, 2007). Furthermore, "Security enhancement "of the SDLC process primarily include the version or augmentation of existing SDLC activities, checkpoints and practices. In some case, it may also implicate the extra of the new activities, practices or checkpoint. In a very few instances, it may also need elimination or replacement of particular activities or practices. (Goertzel, 2009)

According to (Allen, 2007) SDLC is very important part at the development stage, because it avoids potential vulnerabilities, so that it can help the developers clearly to development the more dependable and trustworthy software systems. According to (Goertzel, 2009), SDLC can be enhanced while using the existing activities, practices or checkpoint. That means, depends on the systems and requirement, it may produces new activities or reduce existing activities or replacement the particular activities.

Indicates of (Goertzel, 2009) measure key elements of a secure software life cycle process are:

security criteria in all software life cycle checkpoints (both at the entry of a life cycle phase and at its exit)

adherence to secure software principles and practices

adequate requirements, architecture, and design

secure coding practices

secure software integration/assembly practices

security testing practices that focus on verifying the dependability, trustworthiness, and sustainability of the software being tested

secure distribution and deployment practices and mechanisms

secure sustainment practices

supportive tools

secure software configuration management systems and processes

security-knowledgeable software professionals

security-aware project management

upper management commitment to production of secure software

Figure 3: The software security touchpoints as introduced out in Software Security

Indicates of (McGraw, 2004) description the Software Security of Software Development Life Cycle:

Abuse cases - describe the system's behavior under attack, building them requires explicit coverage of what should be protected, from whom, and for how long.

Security requirement - must cover both overt functional security (example, the use of applied cryptography (encrypt)) and emergent characteristics. One great way to cover the emergent security space is to build abuse cases.

Risk analysis -. is a necessary security analysts should bring out and rank risks so that mitigation can begin. If ignore risk analysis at this level will lead to costly problems, because ignore this part when at the end or the user use the system will come out many security problems so that risk analysis must execute and do well.

External review - means outside have another design team to examine the system also.

Risk-based security tests -based on attack patterns and threat models. A good security test plan (with can tracing back to requirements) uses both strategies.

Static analysis (tools) - tools that scan source code for common vulnerabilities can find out.

Penetration testing - is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerability that could result from poor or improper system configuration.

Security breaks - simply means attacks will happen, no matter of the strength of design and implementation, so monitoring software behavior is an excellent defensive technique. Knowledge gained by understanding attacks and exploits should be cycled back into the development organization, and security practitioners should explicitly track both threat models and attack patterns.

Enhancing the Development Life Cycle to Produce Secure Software defines secure software as follows (Winograd, 2008):

Dependability -software can perform predictably and function, it means all the function can operate rightly and when involve malicious attack by the attackers.

Trustworthiness - software include fewer weakness or vulnerabilities that may by attack. Furthermore, the software also contains any malicious attack logic that can be warning the attackers.

Survivability (Resilience or flexible): software that is flexible enough to protect itself or tolerate (continue operate). It can recover as rapid as possible and reduce harm as possible.

The purpose of secure software development is to design, implement, configure, and support software systems from the start of the system's life cycle; it may needs to know the requirement of the system until it ends. And more, the more effective way to reach secure software is secure development, deployment, maintenance principles and use. If the organizations have the correctly secure software development life cycle (SDLC) then will be find out the weakness or vulnerabilities in early. It can reduce unnecessary cost and time.

What the Software Practitioner Needs To Know

The developers, testers, integrator, and maintainer of secure software must have awareness, intention, and carefulness. They must focus on software's concept or implementation, from unsatisfied requirements, poor design, implementation choices, unexpected coding errors or configuration mistakes.

Analysts must understand how to translate the needs for software to be secure into acceptable requirements, designers must realize that difference secure design principles, and the programmers must use secure coding practices and be right to avoiding coding errors and if find out the bugs and remove the bugs as possible. Software integrators must know and try to reduce the security risk with vulnerable components no matter is custom - built or open source, and must understand the ways of modules and components, to minimize any vulnerabilities to avoid attackers to find out. (Goertzel, 2009)

According to (Goertzel, 2009) the software practitioner should want do well at their work. If the software practitioner can understands what theirs should do, and they should work in as a teams, then development software system will become easily and perfect. And so, the software practitioner must do well, in this way will not increase the development time and costly.

Implementation Software Security Into Workload Allocation Lecturer System

I have implementation my seminar title Software Security into my Final Year Report: the FYP title is Workload Allocation Lecturer System. Software Security is very important to every software system; so that it can improve my Workload Allocation Lecturer System secure part and the users no need to worry the attackers will access the system to get the secret data.

So, I can use the Preventing Sql Injection method: parameterized statements to prevent the Sql Injection. As below in the example using Java and the JDBC API:

PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE USERNAME=? AND PASSWORD=?");

prep.setString(1, username);

prep.setString(2, password);

prep.executeQuery();

If user type sql injection query at the text field, and it method can be prevent the sql injection and it can let my system more secure. And I will use the secure software configuration management systems method to check the database history, when the security problems occur; the admin will know who have changed the database history. It can let the admin more easily to know which problems come out and so on.

Lastly, I will use above method or techniques what I list out to implements into my Final Year Project: Workload Allocation Lecturer System as well.

Conclusion

World of today, the software systems normally will interconnect with the internet. The threat malicious attacks are real and also increase continues. So that, the developers should put more efforts into research or ensure the software security is operation under well way. It can provide the software systems not by attacks, and also can reduce the organization unnecessary costs. When want to development the software systems, the design team must design out a good design and implementation ways, it can reduce the security vulnerabilities of software.

Many organization or National have bad operate, may be is the important software systems by attacks easily. It will reduce the organization or national image, and also reduce the markets also. This will cause many bad effect such as the organization sell will reduce, the citizen will bring out many social problems, and the citizen will lost the hope towards to National.

And also , let think about it if the software systems have untrustworthy at our daily, example we can't online transaction, such as pay taxes, it will occurs what problems? It will cause the relate government department reduce the efficiency. If the problems occurs at users, it may cause theirs financial lost or their safety.

So, factors of human those who includes that develop, manage, purchase, use and attack the software should solve in software development and security risk management. At present, we discover the human and organization factors in the software development and software security risk management. All these factors, should be reasoned from the early stages in software development, so that, this will increase the successful software development also.

Finally, what are the relations of these issues or factors with the security solutions, technologies and tools? So, further research avoids or prevents software security problems as possible. And then, the software security is tough problems in the future, so we must put more efforts do more research. Because software security is very important and related to our daily life already, so we should protect our secret data and privacy by unauthorized use. Then, we should do the best, when development the more secure software security in the future.

Article name: Largest Problem In Software Security Computer Science essay, research paper, dissertation