The software security landscape
The quantity of software used every day is continually growing. Consumers and businesses are increasingly vulnerable to cyberattack the more they rely on technology. Most software contains vulnerabilities which leave it open to exploitation.
The average web application contains 33 vulnerabilities, including six high-severity ones. Nearly 22,000 new vulnerabilities were discovered in 2018 alone.
The massive increase of software vulnerabilities makes traditional security approaches, like patching, unscalable. Ensuring that vulnerable software doesn’t reach production requires the management of the software threat landscape. Management begins with the software developers who need to know how to recognize and remediate common and exploitable coding errors.
Common coding errors
Most software vulnerabilities are caused by a small set of programming errors. The vast number of new vulnerabilities discovered each year are mainly the same mistakes being made in different ways.
Knowledge of these vulnerabilities has been around for some time. The Open Web Application Security Project (OWASP) regularly publishes a Top Ten list of the most common vulnerabilities seen in web applications. However, the same old vulnerabilities regularly appear in new software.
Buffer overflow vulnerabilities are caused by errors in memory management and user input validation. If an application attempts to store more data in a block of memory than fits in the allocated block, an attacker can write to memory that should not be under their control.
Integer overflows and underflows can occur when a developer performs unsafe conversions between different variable types. Storing a value in an inappropriate variable type can cause it to be interpreted later as a different value.
Race conditions arise from a failure to properly use parallel processing. If the result of an application’s execution depends upon the order in which multiple threads access shared resources, an exploitable vulnerability may exist.
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/KXiARbGp3AI/