SECURITY RESOURCES > FAQs
Applications are vulnerable most often because they are written that way. Vulnerabilities from inadequately designed or written code create opportunities for attackers to threaten privacy and steal data. The only way to eliminate these security vulnerabilities is to get them where they live: in the source code itself.
Security vulnerabilities can exist in virtually any application accessible via the Internet or other networks. Web applications provide a popular avenue for delivering information and services, which makes them attractive targets for attack. These applications can contain security vulnerabilities that, unless identified by some reliable means, can remain undetected until an exploit is discovered and the damage has been done.
Many organizations neglect to monitor system activity at the Web application level, so intrusion attempts can easily go unnoticed. Since a carefully crafted exploit may leave little evidence, a significant lag may result between the exploit and its detection.
Newer programming languages and tools can provide improved security over older techniques, thereby reducing the possibility of software security vulnerabilities and subsequent attacks. But many new systems continue to rely on older, or "legacy," systems to provide behind-the-scenes access to databases and program logic. Because these legacy systems and database management tools were not designed to contemplate threats from the Internet, they may be vulnerable to exploits relayed to them by the Internet-facing systems with which they interface.
The most common application security vulnerabilities fall into two categories: coding errors and design flaws. Coding errors are programming flaws related to input validation, unbounded parameters and encoding, and they include:
Design flaws consist of insecure implementation of security mechanisms, and they include:
Web applications may invoke native methods, libraries or drivers that are written in C and C++, introducing security risks that would otherwise not be present in Web code. Native code is not protected by the built-in security model unique to Web application languages. This means native methods may allow for untrusted, malicious code to access local system resources, either by providing access to new resources and failing to secure them properly or by bypassing existing security checks.
To mitigate the security risk from these application vulnerabilities, methods or libraries that indicate the use of native code throughout the program must be identified. All input passed to these calls should be validated for content to prevent an attacker from injecting malicious commands into the application. Similarly, the length of input should be limited to reduce the risk of a buffer overflow.
Native code is particularly vulnerable to buffer overflow attacks. In order to ensure the application does not pass string parameters longer than the maximum allowable string length, input passed to native code must be checked for both content and length to prevent a malicious or unintentional buffer overflow.
To get a closer look at application vulnerabilities within open source applications, please read our case study that examines the results of a detailed software security audit and outlines the best methods for uncovering and eliminating application vulnerabilities, Inside the Security of Open Source.
While many positions within an organization have responsibilities for ensuring the security of online applications, software security assurance is an enterprise-wide responsibility. Developers and Security Analysts must make sure that the code they deliver aligns with secure coding best practices and major compliance guidelines Proving compliance with these guidelines is also within the direct purview of the CEO, CFO, and audit committees, since software vulnerabilities represent significant control deficiencies in terms of secure and reliable information, processes, and reporting. Security vulnerabilities may also result in the theft of personal and other sensitive information, and therefore also impact the roles and responsibilities of management positions throughout the enterprise. For a detailed discussion of roles and responsibilities within a software security auditing program, please refer to the Ounce Labs' Software Security Audit Framework.