ABS TRACT
Software enables every aspect of the Web. Everything from device communication to online social networks is achievable only because of multiple lines of code. For various reasons, designing and building security and privacy into Web software is often an afterthought for most developers. This results in easily compromised systems that pose significant privacy and security risks to users. CEO of Proficiency Labs, and Larry Koved, Principal Research Staff Member at IBM Research, about why, at a bare minimum, Web software developers must ensure that their code is sufficiently hardened to protect against URL interpretation attacks, input validation attacks, SQL injection attacks, impersonation attacks, basic inference attacks, buffer overflow attacks, and inadvertent data disclosure attacks.
Software enables every aspect of the Web. Everything from device communication to online social networks is achievable only because of multiple lines of code. For various reasons, designing and building security and privacy into Web software is often an afterthought for most developers. This results in easily compromised systems that pose significant privacy and security risks to users. Guest CEO of Proficiency Labs, and Larry Koved, Principal Research Staff Member at IBM Research, about why, at a bare minimum, Web software developers must ensure that their code is sufficiently hardened to protect against URL interpretation attacks, input validation attacks, SQL injection attacks, impersonation attacks, basic inference attacks, buffer overflow attacks, and inadvertent data disclosure attacks.
Over the past few decades, software developed for the Web has become more intricate, requiring knowledge of and the use of multiple moving parts—that is, dynamic software development and deployment stacks.
At the same time, Web software is becoming more integral to the human experience. For most of us, our online personas and real identities are tightly integrated. Online systems augment and connect with physical systems to transform and accelerate prior analog-only mechanisms.
Mission-critical assets of corporations, infrastructure providers, governments, and average citizens rely more than ever on Web software. So, they're more exposed to attack through software vulnerabilities and flaws. This makes the creation of secure, privacy-preserving Web software essential to our future.
Web software, its supporting stack, and the Web software-engineering process must all have security and privacy mitigations integrated into them.
Challenges
The Edward Snowden revelations have shown that Web software insecurity is more widespread that most researchers previously thought possible. From weakening seed generators in encryption standards to eavesdropping on all forms of Internet traffic, a wide spectrum of problems needs fixing.
The Stack
Interactions online start with exchanges with a Domain Name System (DNS) server. This critical piece of network infrastructure is the directory service that translates a webpage address into its machine-readable address; for example, www.google.com becomes 74.125.137.104.
An attacker might inject malicious DNS data into recursive DNS servers, take over DNS servers and redirect traffic, tamper with the DNS registration, and so on. Software developers working at this level must be aware of not only DNS security standards but also safe coding practices that reduce the likelihood of a successful DNS attack.
Once the DNS service facilitates a connection between the user software and the software on the requested page's webserver, various attacks can occur through the communication channel. Examples include Web spoofing, denial-of-service attacks, and man-in-the-middle attacks. Developers must be aware of the security and privacy controls necessary to protect user data from these attacks.
Developers leverage many programming frameworks to (agilely) produce software. The frameworks are a mish-mash of a variety of tools that eliminate configuration and deployment pain. They also make many assumptions about the security and privacy risks their users are willing to tolerate. Software developers should be cognizant of these assumptions and the frameworks' mechanisms for improving security and privacy protections.
The focused villain will concentrate on the weakest link in the security chain, which is typically the human. This means finding creative ways to compromise a computer system by coercing the user or developer to produce information that can lead to circumvention of the software's defenses. Developers usually are unaware of the risks and have very limited ability to combat such attacks. A powerful prophylactic is to factor human behavior into the security and privacy mechanisms embedded in software.
Source: http://www.computer.org/web/computingnow/software
0 comments:
Post a Comment