Software Applications: Vulnerabilities and Controls

Software Applications: Vulnerabilities and Controls

Software Applications:

Vulnerabilities and Controls

In today's technologically savvy world, traditional and Web applications are created and modified at an extremely high level, and with this boost in applications comes the need for protection against vulnerability and hacking. Applications, no matter how well-mastered, upon being in the market for use for a certain amount of time become at risk for hacking by outside sources, proving extremely detrimental to individual users and companies developing these applications. Upon viewing the common risk factors that are associated with traditional and web applications, one can learn the tools that hackers use to exploit vulnerabilities that are found in these applications, as well as learning tools to combat such hacking.

Software Applications:

Vulnerabilities and Controls

Introduction

In today's world of increasingly advancing technology, traditional and Web applications are both created and modified at levels that can produce an extremely high yield of use. However, developers and companies are not the only groups who are savvy to these advanced technologies, and hackers have become a major problem to the protection and integrity of the information stored in these applications. As hackers become more familiar with the inner-workings of these applications, companies and developers have had to put increasingly high focus upon pinpointing the vulnerabilities that exist in these applications. Upon discovering these vulnerabilities, it becomes easier to understand the tools that hackers use to exploit these applications, and only in understanding the motives and actions of the hacker can a developer understand what measures must be taken in terms of controls and protections to maintain that the information in such applications is protected to the best of the application's abilities.

Risks and Vulnerabilities

A software vulnerability is essentially a glitch or a bug in a program that allows for an unauthorized third-party to gain access to information that should only be available to the application itself and the authorized user. MIT researchers note that

"Traditional and Web applications typically address this problem through access control, which involves authenticating users that want to gain access to the system, and ensuring that a user is properly authorized to perform any operation the server executes on her behalf. In theory, this approach should ensure that unauthorized attackers cannot subvert the application" (Dalton, Kozyrakis & Zeldovich, 2009).

However, many traditional and web applications fail to follow the aforementioned steps and suffer disastrously in the long run. Though the level of security that many companies and developers employ is unparalleled, it can be said that anything created by a man can be broken into by a man, which is a challenge many hackers are willing to take on with pleasure.

Though many of the vulnerabilities of these applications are seemingly subjective dependent on the specific application itself, the risks are more uniform. Should a hacker manage to break into a specific application gaining unauthorized access to immense amounts of information, the threat does not stop there. In addition to the compromising of private information, applications also run the risk of having viruses spread into their systems, doing damage not only by hacking into confidential information, but then spreading throughout applications to attack other systems and essentially corrupt and shut down an application in its entirety. In realizing the extreme nature of the risks involved should hackers attack an application, companies and developers are consistently on the watch for new tools and strategies that hackers use in order to combat them before they reach their system.

Tools Hackers Use

When exploiting the vulnerabilities present in an application, hackers often resort to using the same tools that prove efficient in gaining unauthorized access to an application and the information contained within. Some of the most common tools and tactics for hacking into these applications are: virus programs, password cracking tools, phishing, Trojan horses, the exploitation of manufacturer default settings, data mining, company infiltration, or con games. All of these tools make it possible for a hacker to not only corrupt the application itself in terms of accessing confidential information, but further allow for the hacker to spread damage deep into the application to attack other systems, essentially able to shut down an entire application with the corruption of contained information.

Though some of the aforementioned tactics involve the physical infiltration of a company in order to gain information and access into applications, the more common hacking tactics are the use of technological tools that allow the hacker to access information from the comfort of their own computer. The SANS (SysAdmin, Audit, Network, Security) Institute notes that there currently "appear to be two main avenues for exploiting and compromising applications: brute force password guessing attacks and web application attacks" (Dhamankar, Eisenbarth & King, 2009). This type of attack seems to be trending at an unparalleled level as seen in the figure to the right featured in the aforementioned SANS report detailing reported application threats in 2009.

Controls and Protections

In viewing the risks that hacking poses and in viewing some of the tools that hackers use, it is clear that software vulnerability control is likely one of the most important parts of application security. Though application control is a relatively new development in information security, several software manufacturers have come out with products that have proven effective in fighting the threat of hacking and protecting application quality control. Author Tim McCollum (2008) notes that there are many operational systems products offered to companies that "shields applications and data from outside attacks. These shields automatically run after installing or modifying the server software so that the shield matches the most-current configuration, preventing applications from acting outside their normal parameters" (McCollum, 2008).

Application control can further be completed on a personal level as well as a company level with the utilization of virus scanning software, which should essentially be run on every computer within an organization that uses a certain application. Though many virus scanners will only detect viruses within its database leaving unknown viruses a risk, methods such as the use of patching applications to correct vulnerabilities as they appear prove to be vital in stopping viruses in their tracks. Further, password encryption at a company and individual level is a tool utilized to fight off the increasingly powerful hacking tool of password phishing.