Information security & Importance – III

How software security is different from software quality?

The objective of software quality and software security is same: to ensure that software behave in dependable manner despite presence of unfavorable circumstances. The difference can be characterized in terms of failure motivations to whichever property is desired. Quality related faults are unintentional or accidental however security related faults are sponsored or intentional.

As per Wikipedia, a software bug (or just “bug”) is an error, flaw, mistake, failure, fault or “undocumented feature” in a computer program that prevents it from behaving as intended. When a bug poses threat to allow external force to violate confidentiality, integrity or availability of software, it is called security bug or vulnerability.

Many a times, numbers of bugs are acceptable and software considered being good enough to deploy although software has inability to perform required functions in specified manner. Most of the times software security is considered as part of quality and once functional testing is done it is assumed that software is secure and software is shipped however security bugs are different. Single vulnerability in software could wreak havoc.

Software bugs can range from unsatisfactory user interface to code failures due to latency issue. In contrast, security vulnerability, allows attacker to execute operations that are not intended. Most of the security vulnerability found into code is perfectly acceptable from quality perspective and code is ready to ship.

Software quality is collective where sometimes bugs are acceptable however software security is absolute and security bugs are not unacceptable most of the times.

Difference between software security & application security

People use software security and application security interchangeably and there are valid arguments for that. Application security has emerged as a natural extension to network security. Application security protections and mitigations are defined at perimeter or system level rather than the individual application’s software architecture.

Software security is about building secure software. It is about analyzing requirement s correctly, designing software to be secure, writing secure code, testing code paths and deploying it on secure environment.

Application security is about protecting software once it is already built. It is black box approach; just an extension of network security concept to fix problems based on signature. It is about penetration testing, setting least privileges for software execution, detecting intrusion, filtering malicious inputs, validating output – anything that can be done without touching software itself.

The focus of software security is to build software without loopholes so that it can not be attacked however the focus of application security is to prevent attack with or without correcting vulnerability. Application security can be outsourced however software security can’t be outsourced, it must be adopted by the team.

Application security

  • Issue based short term approach
  • Application specific solution
  • Applicable after application is developed
  • Penetrate and patch
  • Security against known external attacks
  • Security specialist are required

Software security

  • Holistic, long term approach
  • Applicable to all software
  • Integrated in SDLC
  • Root cause analysis
  • Security against known and unknown attacks
  • Security specialist are not required

Security relation with other properties of software

It is said that everything is covered under umbrella of quality. Quality is a perceived attribute and defined by users of the system. Security is just seen as extension of quality. Security issues like sensitive information disclosure due to unattended exception or password transmission in clear text can be considered quality issues however problems like misconfigured application server or sharing password are security issue but are not within the boundary of quality. Nevertheless, security can not be considered as isolated attribute and architects often tradeoff security with other quality attributes that are related to software.

Security and usability
Many believe that security is inversely proportional to usability. Building software having a password with minimum 25 characters with 3 capital, 3 numbers, 5 special characters is secure however it is less usable and an software without password is very usable but insecure. As mentioned earlier quality is defined by user perception so for above example good balance with more than 8 characters with 2 special characters is reasonably usable and secure solution.

Security and extendability
Extendability can be defined as acceptance to upgraded versions, applying fix (including security fix), allowing plug-ins or extensions to broaden functionality without changing original software. Often extendible architectures become victim of authorization and buffer overflow attacks. While reviewing architecture written using C++, noted that software was allowing end users to write their own dll for file extensions. We questioned development team how is it going to behave if someone uploads malware or .dll with command execution functionality. Development team understood concept and implemented functionality for approved files extensions. Interestingly they implemented our additional recommendation related to identifying files using headers so even if file is uploaded with .txt extension but if it is binary file then software will reject that input.

Security and performance
Performance is often used as excuse for avoiding security into software. Observed that authorization was avoided because there were many users and authorization for each user was degrading performance. We suggested development team to implement role based authorization and storage of privileges into cache. Implementation of same has improved software performance along with security.

Security and Privacy
Many treat privacy and security as same however there is eye opening difference. Privacy defines way of complying with the policy while security is a way of enforcing policy. Security issues like disclosure of personally identifiable information (PII) are privacy issues and in many countries it can have legal consequences. While reviewing online shopping cart, we found that application was logging customer’s credit card numbers and logs were accessible to system administrators.

What are the myths related to software security?
Following are myths of software security.

  • Our software is based on open source framework
  • Security is not part of URS
  • Firewall takes care of security
  • Security is implemented using SSL
  • Stable legacy system can’t be changes just to implement security
  • Peer review identifies security loopholes into code
  • Testing team tests everything before software is shipped
  • Application is tested with automated scanner
  • We know that attackers are not interested in exploiting non-financial application
  • Our quality process takes care of security

Information security is a very crucial subject today which needs to be dealt with utter seriousness among software industry folks. Elan Emerging Technologies has been a major pioneer in this sector of information security and has acquired ISO 27001:9000 certification which ensures complete information security so the client working with us can rest assured, their data, information and business are in safe hands.

Information security & Importance – I
Information security & Importance – II