What are software vulnerabilities?
Unintended behaviour, exploited by attackers
Main types of software vulnerabilities
Bugs
Inconsistent/emergent functionality
Design flaws
Supply chain attacks
Platform vulnerabilities
What are bugs
a mistake in the code, design, or logic of a software program that causes it to behave unexpectedly
A common design flaw
Confused deputy problem - Type of privilege escalation where a program with high authority (deputy) is tricked by a program with fewer privileges into misusing its authority
Supply chain attacks
An attack where a less secure element in the supply chain is exploited to gain access to the target company’s systems or data
Example of a platform vulnerability
Meltdown - accesses kernel memory directly, allowing attackers to read privileged memory from an unprivileged process
How are vulnerabilities found?
User input, root of most attacks
Fuzzing
Bombard input fields with random input, watch for crashes or odd behaviour
Injections
User input designed to cause unintended behaviour
Command Injection
an attack that allows the attacker to execute arbitrary commands on the host operating system by exploiting a vulnerable application
Example of Command Injection
SQL Injection
Shell Injection
Script Injection
an attacker injects malicious scripts into a web application that is executed on the user’s browser or server
Example of Script Injection
Cross-Site Script (XSS)
Memory Injection
injects malicious code into a computer’s runtime memory
Example of memory injection
buffer overflow - program writes more data into buffer than it can hold, causing program to crash or allow attacker to inject and execute malicious code
Heartbleed vulnerability
2014 flaw in OpenSSL, attackers could send small requests but trick server into replying with large chunks of memory, leaking sensitive data
Key Mitigation/Best Practices
Assume breach
Defence in depth
Security by Design
Never trust user input
Test continuously (fuzzing, pen testing)
Manage supply chain attacks
Avoid security by obscurity
Defence in Depth
Using multiple-layered security measures, such as physical, technical, and administrative, to protect organisations’ assets. If one defence fails, other layers are in place to protect, detect, and mitigate attacks
Security by Obscurity
Security practice that relies on hiding details/vulnerabilities of a system to make it more difficult for attackers to find and exploit them. The belief that secrecy itself provides security
Security by Design
Integrating security measures in the initial design. Least privilege, fail safety, use design patterns.
