Threats to Software Programs You Should Know for a Job in Information Security

By Peter H. Gregory

You will need to know about threats to software if you plan on working in information security. Software programs play a key role in facilitating access to sensitive information. For this reason, software is often attacked, in the hopes that a weakness in a software program will enable the attacker to obtain the entire trove of information to which the software program has access. Organizations must ensure that their software programs have no vulnerabilities that can be exploited by others.

Plenty of threats are carried out against software programs every day; they are the “low-hanging fruit” targets in the cybercrime world. The most well-known threats, plus countermeasures, follow:

  • Buffer overflow: In a buffer overflow attack, the attacker is providing data in an input field in which the software program requesting data is doing little or no input validation or boundary checking. In a successful buffer overflow, the input data literally overflows the memory storage area intended for the input data. The overflow data consists of machine-readable instructions that the attacker hopes will be executed, leading to control of the application program and perhaps the entire machine. The main countermeasure against buffer overflow is boundary definition and checking.

  • Authentication bypass: Often, only a user ID and password are protecting sensitive data. For this reason, attackers will use every trick in the book to bypass authentication to get straight at sensitive data.

    All attack types listed here represent some method for bypassing authentication.

  • Injection attack: Similar to a buffer overflow, an injection attack inserts some sort of scripting language into an input field, in a way that tricks the target system into executing the script. Types of injection attacks include SQL injection (instructions to the back-end DBMS) and script injection. The countermeasure to injection attacks is careful parsing and filtering of all input data, so that no commands are allowed or accepted.

  • Malicious software: Often used with buffer overflow and injection attacks, malicious software (often known as malware) is designed to steal or alter data, steal login credentials, or permit a takeover of the target system for most any malicious purpose. Countermeasures to malware include antimalware (formerly known as antivirus) and intrusion systems (IPS).

  • Mobile code: Similar to malware, mobile code is downloaded and executed in real time. The most common type of mobile code is code downloaded by a web browser, such as JavaScript. Countermeasures against mobile code include tighter controls to browsers and other software to limit or prohibit mobile code from being downloaded and executed. Application whitelisting (the use of a tool or technique to permit only known programs to run) can also be an effective countermeasure.

  • Logic bomb: A logic bomb is code that performs some malicious action, such as deleting or altering data. A programmer or an outsider might place a logic bomb in an application. Countermeasures against logic bombs include code reviews and tight access control to source code.

  • Back door: A back door is a feature that a developer places in an application that enables some type of undocumented feature or access to the system or database. Back doors are often used during development and should be removed. Countermeasures against back doors include code reviews and tight access control to source code.

  • Object reuse: Object reuse is a flaw in an application or its underlying operating system that permits another process to access residual data no longer used by the application. Examples include released memory space that wasn’t cleaned up and temporary files. Countermeasures include proper OS selection and configuration to prevent other processes from accessing residual memory, and better access controls for (or erasure of) temporary files.

  • Social engineering: Social engineering is any act in which attackers are attempting to trick a user into performing some action. Social engineering can take place in person (an attacker pretending to be a package delivery person), by telephone (a person pretending to be IT or a user who needs help), and online (by phishing). Unlike a lot of online attacks for which many effective countermeasures are available, social engineering attacks can often be successful.