Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
With the advancement of technology, our ability to access and use information has become much easier. Of course, this has gradually become an advantage for cyber attackers over time, and as cyber attacks have increased, new methods and techniques have begun to be developed.
At the same time, we can see that there are malicious individuals who want to obtain this data by force and use it for their own interests.
The provision of software security refers to a piece of software successfully defending itself and taking preventive measures against cyber threats while it is carrying out its function and is under threat or attack. The purpose of software security activities is to develop software that is more resistant and protected against all attacks.
Attacks against software can have various aims, such as taking the software completely out of service, running the software for a different purpose by injecting malicious code to modify its code, and infiltrating the system running it and other software on that system by identifying the software’s weak points.
When we look at the software development models proposed to date, the secure software development lifecycle can be seen at the foundation of all of them.
The first step in the cycle — increasing training and awareness — is a foundational element that must continue throughout the entire process. At this stage, personnel need to be made aware of threat elements and trained in security testing. In the requirements analysis phase, the requirements for the development, security, and testing of the software must be determined.
In design and risk analysis, methods such as threat modelling and privacy risk analysis are used to identify which risk groups the software will fall into. During development, the software begins to be developed according to the methods identified in the previous steps. Methods such as source code analysis should be utilised at this stage.
In the verification phase, the resulting software is tested against the fundamental principles of security — confidentiality, integrity, and availability — and any vulnerabilities that emerge are addressed. At the deployment stage, the software has reached its final state and is ready for release. The results of the operations carried out previously are observed at this stage as the software is delivered to the user.
In the vulnerability management and feedback step, user feedback is used to identify situations in the software that were overlooked or need to be changed. After identifying these situations, personnel are retrained on areas that are incomplete or erroneous. This brings the process back to its beginning.
Developed in 1986, this model’s main focus is the improvement of existing applications. It aims to address weaknesses in a specific area rather than developing the product in accordance with security standards.
Based on the CMM model, its purpose is to provide solutions related to the auditing and management of an organisation. The CMMI model is aimed at the development, maintenance, and sales management improvement of the product. It consists of 5 levels.
A model developed by Microsoft to integrate security and privacy in order to address the problems it encountered. In this model, which is based on the fundamental software lifecycle, the process is entirely dependent on the project manager.
Developed by OWASP, this model was created for the purpose of integrating information security operations into the software development process. This model is independent of the size of the organisation. It can be used for a single task, or across the entire organisation or a specific part of it.
In addition to these models, there are many secure software development approaches, each with its own advantages and disadvantages compared to the others. It is quite difficult to say that one model is better than another. The important point is to analyse the requirements taking into account the structure, size, and business of the organisation, and to select the appropriate model. An incorrect selection could place an excessive workload on development or testing teams and make the work more complex than it needs to be. On the other hand, if an insufficient model is selected, vulnerabilities that arise could harm users and put the organisation in a difficult position.
Code injection is the placement and execution of code fragments in a target system that exploit vulnerabilities in software or network environments, taking advantage of a vulnerability present in the system.
To prevent this, inputs must be filtered, using keywords that exist in programming languages should be avoided, methods such as stored procedures should be used for SQL operations, and all input/output operations should be subject to control. In addition, ensuring that the developed application has a layered architecture also plays an effective role in preventing these dangers.
XSS is a type of attack that appears on the OWASP Top 10 list. It is a vulnerability that arises when input received from a user is stored in the database in HTML format. For example, if a malicious person writes JavaScript code in the comment section of a website and submits it, and if an XSS vulnerability exists, the written code will execute and undesired outcomes may occur. There are three types of XSS vulnerability.
While user input is being awaited, JavaScript code is sent. If this input is intended to be displayed on screen, the written code executes.
In this type of XSS attack, instead of directly printing the input received from the user to the screen, it is stored somewhere such as a database. Afterwards, when users visit the relevant page normally, this code runs each time as if it had been written on that page by the developer.
In a DOM-based XSS attack, the malicious code runs by operating directly on DOM objects without reaching the server side. Imagine we have created a user list using JavaScript. If an XSS vulnerability exists, the process of writing this list can be manipulated through external intervention to perform any desired operation.
SQL Injection is a vulnerability that occurs through the use of meta-characters — characters that carry special meanings for compilers. It involves attackers writing characters that will manipulate SQL code into fields where information such as usernames and passwords entered by users is input, thereby accessing the database. For example, imagine the following text is written into a field: 10 or 1=1. The SQL equivalent of this input is as follows:
SELECT * FROM Users WHERE UserID = 10 or 1=1
In this query, the expression or 1=1 written in the WHERE condition ensures that a true result is always returned. For this reason, regardless of the UserID, we can see the list of users. If user passwords are also stored in this table, all user information will have been stolen.
In another situation, when data is being entered into a numeric field, the data type must be checked.
SELECT * FROM Users WHERE UserID = “”
For example, if a parameter such as “1; DROP TABLE ‘Users’;” is entered in the above command, the table will be deleted.
This is a vulnerability that can exist in any application that uses the command line. Whether the received data is a word specific to the command line must always be checked. Otherwise, the attacker can reach the command line and undesired situations may occur in the system.
In today’s world, where everything is online, the security of software and hardware is critically important. If the necessary precautions are not taken, the losses that will occur will damage both the institution’s reputation and its economy. With the tools developed, carrying out cyber attacks has become quite easy. These developments must be followed. Additionally, personnel within the institution should be trained on relevant topics, and training should be provided in the field of cybersecurity.
References
Beydağlı, E., Kara, M., Bahşi, H., & Alparslan, E. (2009). Güvenli Yazılım Geliştirme Modelleri ve Ortak Kriterler. 4. Ulusal Yazılım Mühendisliği Sempozyumu, 11-17.
Güvenli Yazılım Geliştirme Kılavuzu. (2018). TÜBİTAK BİLGEM.
SARIMAN, G., & KÜÇÜKSİLLE, E. U. (2013). Güvenli Yazılım Geliştirme Yaşam Süreci ve Statik Kod Analizi. 6. Uluslararası Bilgi Güvenliği ve Kriptoloji Konferansı, 282-286.
YILMAZ, S., & SAĞIROĞLU, Ş. (2013). Yazılım Güvenliği Üzerine Bir İnceleme. 6. Uluslararası Bilgi Güvenliği ve Kriptoloji Konferansı, 167-173.
You May Be Interested In These
