Software Security Testing Part — I
The Basics of Software Security
Welcome to the first module of this workshop. In this workshop, we will be learning about the overall software security testing happening in the field of information security, covering many aspects of security. However, in this module, we will talk about the knowledge base, the basics of software security.
* Sound knowledge in computer programming
* Sound knowledge of information security and related technologies
* Expert in any one programming language
The Software Industry
The software industry is approximately 50+ years old and it has progressed from a very basic level of software to complex development and now there is a lot of competition among developers and in the mobile software development market.
Most importantly, in today’s software industry, there are threats to the software we normally and generally use, e.g., operating systems, like Windows. However, to overcome this, we use different types of tools in order to protect our Personal Computer (PC), and we will be exploring types of software next.
Types of Software
There are many types of software that are broadly categorized as per their usage and operations they perform. Some common types of software are listed below:
These are a few of the many types of software available in the market and we cannot list them all here. It’s just to give readers an idea about different types and purposes of software. We can divide the software industry into two main types or classes of software:
* System Software (Operating Systems)
* Application Software (e.g., Office)
You might be wondering why we haven’t listed and security software. Well, our focus is on the security aspects of the software, so let’s define security software.
What is Security Software?
Security software is specially built or designed to perform certain dedicated tasks like:
* Stop malfunction and repair the damage that others cause to your computer or network.
Different types of security software may be focused on preventing attacks from reaching their target, on limiting the damage attacks can cause if they reach their target, and on tracking the damage that has been caused so that it can be repaired.
You cannot guarantee that this software will provide 100% security but what we can claim is that as the nature of malicious code evolves, security software also evolves, and some of these software programs are given below.
Anti-spyware software can protect your computer by providing real-time protection against malware, spyware, and adware installations, as well as by detecting and removing such programs that are already installed on your computer.
“Spyware attaches itself to individual computers to perform functions like monitoring Internet navigation and stealing information. Spyware can track your personal data and then send it to cybercriminals.”
Anti-virus software can protect your computer from a range of cyber threats, like viruses, worms, rootkits, and phishing attacks. The software keeps you protected by scanning files to look for known viruses, and by using what is known as heuristics to identify suspicious behavior, which may indicate a threat.
“A virus is code that recursively replicates a possibly evolved copy of itself. Viruses use computers to spread from one to another. They often perform a function that can erase files and processes from your computer”
A firewall provides critical protection to keep your PC safe from unauthorized access, but it cannot remove malware from a system that has already been infected; therefore, it should be used in conjunction with anti-spyware and anti-virus software.
The most important thing to remember is that even after ensuring that you have covered the basic requirements of your software by using any of the above tools, that still doesn’t guarantee security to your system. If you are using “Microsoft Windows”, then you are more exposed to potential threats if you go online and access the internet and this is obvious as “MS Windows” is the end user’s favorite operating system, hence more often targeted by hackers.
Some Common Sense
The fact is that antivirus or anti-malware or any security software programs aren’t perfect. If you’re relying on your antivirus alone to protect you, you’re putting yourself at risk. You should still follow basic techniques and practices in order to ensure security and these techniques are nothing advanced, just common-sense computer security practices.
“Be careful about the programs you download and run. You should only download and run trustworthy software. Get the software from its official website — if you want to download your favorite music player, download it from its official website. Don’t click such banners on another website and download it from someone else that may bundle malware or adware along with it.”
You should also keep your programs or software updated, regardless of their types. Patch Management is also a good security measure when it comes to keeping your software safe from the latest vulnerabilities.
Basically, patch management is an area of systems or software management that involves acquiring, testing, and installing multiple patches. This can also be viewed as a part of change management.
Secure Coding of Software
Writing a piece of code is easy, however, writing a secure piece of code is not that easy and there is a difference between writing code and writing secure code! When a developer writes code, his priority is usually ensuring delivery of the software and making sure that functionality is achieved regardless of security aspects, like ensuring validations on inputs. Therefore, not all developers are good at writing secure code. Also, there is a set method, or methodology, which is required to be followed that we will be exploring in upcoming modules.
Flaws appear in software because somewhere along with the requirement, development, and testing of the overall software development lifecycle, the mandate of secure software fell on the floor and was actually neglected.
Software is only secure when it’s designed with security considerations during the lifecycle of its development. If you are attempting to add security after the overall development of the software, then there is a chance that even more problems will occur than when it’s considered from the start of software development.
If you really want to build secure software, then security should be built into the development life cycle itself and management should be involved to present how an organization thinks about and developments software, with security in mind.
In the next module, we will be exploring different types of techniques consultants and security professionals use to evaluate the security aspects of the software code. There are different tools and techniques which are well known and used by the industry as best practices in order to set a standard in the field of security testing, or security review, of software, however, this is not the only solution in order to ensure the security of your software piece. We will be highlighting security in the software development lifecycle in a separate module to present an idea of how you can make it happen from the beginning of the software development lifecycle. We will also present a demo — a practical approach on how you can evaluate software security!
Originally published at https://learncybersec.blogspot.com.