Identifying and Preventing Software Vulnerabilities 1

Identifying and Preventing Software Vulnerabilities

MCS6000 Hardening the Operating System

Identifying and Preventing Software Vulnerabilities 2

According to Securelist, "in its broadest sense, the term 'vulnerability' is associated with
some violation of a security policy. This may be due to weak security rules, or it may be that
there is a problem within the software itself. In theory, all computer systems have vulnerabilities;
whether or not they are serious depends on whether or not they are used to cause damage to the
system. There have been many attempts to clearly define the term 'vulnerability' and to separate
the two meanings. MITRE, a US federally funded research and development group, focuses on
analyzing and solving critical security issues. The group has produced the following definitions:
According to MITRE's CVE Terminology:
A universal vulnerability is a state in a computing system (or set of systems) which either:

allows an attacker to execute commands as another user

allows an attacker to access data that is contrary to the specified access restrictions for
that data

allows an attacker to pose as another entity

allows an attacker to conduct a denial of service

MITRE believes that when an attack is made possible by a weak or inappropriate security policy,
this is better described as 'exposure': An exposure is a state in a computing system (or set of
systems) which is not a universal vulnerability, but either:

allows an attacker to conduct information gathering activities

allows an attacker to hide activities

includes a capability that behaves as expected, but can be easily compromised

is a primary point of entry that an attacker may attempt to use to gain access to the system
or data is considered a problem according to some reasonable security policy

Identifying and Preventing Software Vulnerabilities 3

When trying to gain unauthorized access to a system, an intruder usually first conducts a routine
scan (or investigation) of the target, collects any 'exposed' data, and then exploits security policy
weaknesses or vulnerabilities. Vulnerabilities and exposures are therefore both important points
to check when securing a system against unauthorized access".
According to Comptechdoc.org, "a software vulnerability is some defect in software
which may allow a third party or program to gain unauthorized access to some resource.
Software vulnerability control is one of the most important parts of computer and network
security for the following reasons.

Virus programs use vulnerabilities in operating system and application software to gain
unauthorized access, spread, and do damage.

Intruders use vulnerabilities in operating system and application software to gain

unauthorized access, attack other systems, and do damage.

Some software itself may be hostile.

If software vulnerabilities did not exist, I believe that viruses would not exist and gaining any
unauthorized access to resources would be very difficult indeed. The primary tools for
unauthorized access would then become:

Trojan horse programs (described below)

Network sniffing.

Password cracking through network sniffing.

Man in the middle attacks.

Most unauthorized access would then most likely be done by employees of the organization or
the unauthorized access would be due to very sloppy firewall administration or user error.

Identifying and Preventing Software Vulnerabilities 4

While traditional software testing provides a robust means of testing software function
and performance under a range of expected conditions, it often fails to identify weaknesses that
can arise from unexpected inputs. When faced with such inputs, many network devices can fail,
or behave in unexpected ways. A classic example is a malformed packet, which could cause a
buffer overflow in the system controlling a network device. Traditional testing may not address
such a condition, since the input is essentially random "nonsense". However, the software error
that results could open the device to control by unauthorized, outside entities. In fact, hackers
exploit these failures (known as "zero day" vulnerabilities, since they often are not identified
until the device is deployed and operational) to gain unauthorized access to Internet-accessible
resources.
Telcordia Software Vulnerability Testing service, available to both network equipment
providers (NEPs) and Communications Service Providers (CSPs), helps identify and resolve
software flaws that can cause unexpected security and performance weaknesses in network
devices. It is an increasingly important and necessary complement to traditional software testing.

Identifying and Preventing Software Vulnerabilities 5

References
SecureList. Software vulnerabilities. http://www.securelist.com/en/threats/vulnerabilities?
Software Vulnerability Testing. TELCORDIA IS NOW PART OF ERICSSON.
http://www.telcordia.com/services/testing/software-vulnerability-testing/index.html
The Computer Technology Documentation Project. Software Vulnerability Control.
http://www.comptechdoc.org/independent/security/recommendations/secsoftwarev.html