Phenquestions
What is secured is information and software packages (applications and documents). Information is any message that is useful to anybody. “Information” is a vague word. The context in which it is used gives its meaning. It can mean news, lecture, tutorial (or lesson), or solution. A software package is usually a solution to some problem or related problems. In the past, all information not spoken was written on paper. Today, the software can be considered as a subset of information.
The software can reside in a computer, or be in transit from one computer to another. Files, data, emails, recorded voice, recorded videos, programs, and applications reside on a computer. While residing in a computer, it can be corrupted. While in transit, it can still be corrupted.
Any device with a processor and memory is a computer. So, in this article, a calculator, a smartphone, or a tablet (e.g., iPad) is a computer. Each of these devices and their network transmission media has software, or software in transit that should be protected.
Privileges
A user may be given the privilege to execute a file on a computer. A user may be given the privilege to read the code of a file in a computer. A user may be given the privilege to modify (write) the code of a file in a computer. A User may be given one, two, or all three of these privileges. There are other privileges to an operating system or a database. Users have different amounts or levels of privileges in a system.
Threats
Bases of Software Threats
To protect software, you have to know its threats. The software has to be protected from unauthorized people accessing its data. It has to be protected against unlawful use (to cause harm, for example). The software should be protected against disclosure to rivals. The software should not be corrupted. The software should not be deleted unintentionally. The software should not be disrupted. The software should not have any modification that is uncalled for. Data (software) should not be inspected for no good reason, especially by unauthorized people. The software should not be copied (pirated).
One or more of these bases, resulting in a particular type of classical threat.
Classes of Software Threat
Spoofing Attack
This is the situation where a person (or program) successfully represents another person (or program) in some software activity. This is done using false data to gain an advantage that is illegal.
Repudiation
This is the situation in which somebody does something wrong, and refuses that he/she is not the one who did it. The person can use another person's signature to do the wrong thing.
Data Breach
A data breach is when secure or private information is released intentionally or unintentionally to an environment that is not trusted.
Denial-of-Service Attack
A software computer network has software running in the computers of the network. Each user usually uses his computer in front of him and usually requests services from other computers in the network. A criminal user may decide to be flooding a server with superfluous requests. A server has a limited number of requests it can handle in a duration. In this flooding scheme, legitimate users cannot use the server as often as they should, since the server is busy responding to the criminal's requests. This overloads the server, temporarily or indefinitely disrupting services of the server. In the course of this, the host (server) slows down in operation for legitimate users, while the perpetrator carries out his mischief, which goes undetected, because the legitimate users standing by, waiting for service, could not know what was going on at the server. The good users are denied service, while the attack is going on.
Privilege Escalation
Different users of an operating system or application have different privileges. So, some users end up with more value than others, from the system. Exploiting a software bug or configuration oversight to gain elevated access to resources or unauthorized information is Privilege Escalation.
The above classification schemes can be used to cause a computer virus and worms.
One or more of the above classification schemes can be used for software attacks, which include: theft of intellectual property, database corruption, identity theft, sabotage, and information extortion. If a person uses one or more of the schemes to modify destructively, a website so that the customers of the site lose confidence, that is sabotage. Information extortion is the stealing of a company's computer or falsely obtaining secret information about the company. The computer stolen may have secret information. This can lead to ransomware, where the thief would ask for a payment, in return for the property or information stolen.
Privacy
When something is sensitive or inherently special to you, then that thing is private to you. This also applies to a group of people. An individual needs to express himself/herself selectively. To attain such selectivity, the individual has to schedule himself/herself or schedule information about himself/herself; that is privacy. A group of people needs to express themselves selectively. To attain such selectivity, the group has to schedule themselves or schedule information about themselves; that is privacy. An individual needs to protect himself/herself selectively. In order to attain such selective protection, the individual has to protect himself/herself or protect information about himself/herself in a selective way; that is, privacy. A group of people needs to protect themselves selectively. In order to attain such selective protection, the group has to protect themselves or protect information about themselves in a selective way; that is, privacy.
Identification and Authentication
When you travel to a foreign country, you will reach a port of that country. At the port, a police officer will ask you to identify yourself. You will present your passport. The police officer will know your age (from date of birth), your gender, and your profession from the passport, and he will look at you (your face); that is identification. The police officer will compare your real face and the photo in the passport. He will also estimate your age with what is in the passport to know if it is you.
Looking at you and associating your age, gender, and profession with you is identification. Verifying if your real face and your photo are the same, and estimating if your presentation matches your age, is authentication. Identification is associating a person or something to certain attributes. Indicating an identity is also identification. Authentication is the act of proving that the identity (identification) is true. In other words, authentication is the act of proving an assertion.
In computing, the most common way of authentication is the use of a password. A server, for example, has many users. At login, you indicate your identity (identify yourself) with your username. You prove your identity with your password. Your password is supposed to be known only by you. Authentication can go further; by asking you a question, like “In which town or city was you born?”
Security Goals
The security goals in information are Confidentiality, Integrity, and Availability. These three features are known as the CIA triad: C for Confidentiality, I for Integrity, and A for Availability.
Confidentiality
The information must not be disclosed to unauthorized individuals, or unauthorized entities or unauthorized processes; this is information confidentiality in information security (as well as software security). The stealing of passwords or the sending of sensitive emails to an incorrect individual is confidentiality being compromised. Confidentiality is a component of privacy that protects information from unauthorized individuals, or unauthorized entities or unauthorized processes.
Integrity
Information or data has a lifecycle. In other words, information or data has a starting time and ending time. In some cases, after the end of the lifecycle, the information (or data) must be erased (legally). Integrity consists of two features, which are: 1) the maintenance and assuring of the accuracy of the information (or data) over the entire lifecycle, and 2) the completeness of the information (or data) over the entire lifecycle. So, information (or data) must not be reduced or modified in an unauthorized or undetected way.
Availability
For any computer system to serve its purpose, information (or data) must be available when needed. This means that the computer system, and its transmission media, must be functioning correctly. Availability can be compromised by system upgrades, hardware failures, and power outages. Availability can also be compromised by denial-of-service attacks.
Non-Repudiation
When somebody uses your identity and your signature to sign a contract that he never fulfilled, non-repudiation is when you cannot successfully deny in court that you did not author the contract.
At the end of a contract, the party offering the service must have offered the service; the party paying must have made the payment.
To understand how non-repudiation is applicable to digital communication, you have to first know the meaning of key and the meaning of digital signature. A key is a piece of code. A digital signature is an algorithm that uses a key to produce some other code that is likened to a written signature of the sender.
In digital security, non-repudiation is provided (not necessarily guaranteed) by a digital signature. In software security (or information security), non-repudiation is to do with data integrity. Data encryption (which you might have heard) combined with digital signature contributes to confidentiality, as well.
The security goals in information are Confidentiality, Integrity, and Availability. However, non-repudiation is another feature you have to take into consideration when dealing with information security (or software security).
Responses to threats
Threats can be responded to, in one or more of the following three ways:
- Reduction/mitigation: This is the implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats.
- Assigning/Transferring: This places the burden of the threat onto another entity, such as an insurance company or an outsourcing company.
- Acceptance: This evaluates if the cost of the countermeasure outweighs the possible cost of loss due to the threat.
Access Control
In information security of which software security is a part, access control is a mechanism that ensures that only eligible users are able to access protected resources in a given system, with their different deserved privileges.
Current Solution to Information Security
The current and popular way to do information security is to enforce access control. This includes measures such as validating input to an application, installing antivirus, using a firewall to a local area network, and employing Transport Layer Security.
When you expect a date as input to an application, but the user enters a number, such an input has to be rejected. That is input validation.
An antivirus installed in your computer prevents viruses from corrupting files on your computer. This helps in the availability of software.
Rules can be made to monitor and control incoming and outgoing traffic of a local area network, in order to protect the network. When such rules are implemented as software, in the local area network, that is a firewall.
Transport Layer Security (TLS) is a security protocol designed to facilitate privacy and data security for transmissions over the Internet. This involves encrypting the communication between sending host and receiving host.
Doing information security by enforcing access control is called Security Software, which is different from Software Security, as explained below. Both approaches have the same aim, but they are different.
Software Security Proper
Applications, as they are written today, have a lot of software vulnerabilities that programmers have realized more and more for the past 20 years. Most attacks are made by taking advantage of these vulnerabilities than overcoming or working around access control.
A buffer is like an array but without an imposed length. When a programmer is writing into a buffer, it is possible to unconsciously overwrite beyond its length. This vulnerability is a buffer overflow.
Software today has defected with security ramifications-including implementation bugs such as buffer overflows and design flaws such as inconsistent error handling. These are vulnerabilities.
You might have heard of computer language cheats such as PHP cheats, Perl cheats, and C++ cheats. These are vulnerabilities.
Software security, as opposed to security software, is overcoming these vulnerabilities by writing defensive code where the vulnerabilities would be prevented. While the application is being used, as more vulnerabilities are discovered, developers (programmers) should look for ways to re-code the vulnerabilities, defensively.
The threat, denial-of-service attack, cannot be stopped by access control, because for the perpetrator to do it, he must already have access to the host (server). It can be stopped by including some internal software that monitors what users are doing in the host.
Software security is a robust design from within, that makes software attacks difficult. The software should be self-protecting and, at the limit, have no vulnerability. In this way, running a secure network becomes easier and more cost-effective.
Software security is designing defensive code from within the application while security software is enforcing (designing) access control. Sometimes these two issues overlap, but often, they do not.
Software security is already quite developed, though it is still being developed, it is not as developed as security software. Bad hackers achieve their aims more by taking advantage of vulnerabilities in software than by overcoming or working around security software. It is hoped that in the future, information security will be more of software security than security software. For now, both software security and security software must be going on.
Software security will not really be effective if rigorous testing is not done at the end of the software development.
Programmers have to be educated in carrying out defensive code programming. Users also have to be educated on how to use applications defensively.
In software security, the developer has to ensure that the user does not get more privileges than he deserves.
Conclusion
Software security is the designing of application with defensive coding against vulnerabilities to make software attacks difficult. Security software, on the other hand, is the production of software that enforces access control. Software security is still being developed, but it is more promising for information security than security software. It is already being used, and it is growing in popularity. In the future, both will be needed, but with software, security needed more.
