Software Defense Establishing Software Security

Software Defense

Establishing Software Security from the Ground Up: Core Defense Mechanisms as Aspects of Application Design

Protecting web applications and software networks from external hackers and from improper access and utilization by authorized users from within is an ongoing issue for developers and designers of such structures. These issues take on even greater importance when an overall framework for software development is being discussed and developed for internal use within a company; codifying and clarifying the security needs of new applications and the methods for meeting these needs is an essential element of the overall framework needs. There are four essential core defense areas that need to be addressed in this framework, and in each of the applications that are produced as a result of this framework.

The Four Core Defense Mechanisms: An Overview

The first major area of security concern that must be defended against is unauthorized access to and/or use of a program, database, or other software application by an otherwise-authorized user. This requires a great deal of compartmentalization and different layers of user-interfaced protection, such as username and password access at varying levels or different authorities and privileges attached to different accounts (Stuttard & Pinto 2007). One basic example of this is in an administrator vs. A non-administrator account on a specific computer or network; administrative users generally have access to more information and are capable of making changes to systems in ways that normal users are not.

Protecting security is meaningless, of course, if it comes at the cost of usability, and this is where the second core area of defense comes into play. Users must be able to input information into an application's various functions in order to use that application, but malformed input -- whether the malformation is intentional or accidental -- can create undesirable behaviors in the application's functioning. Safeguarding against this prevents both purposeful shut-down attacks and security overrides as well as accidental crashes, interruptions, or data losses (Stuttard & Pinto 2007). Designing applications such that input is mediated between the user and full utilization in the application, with malformed input kicked out of the application, is a standard yet still-developing area of system defense; greater specification in "natural" language regarding a programs design needs and input request prompts can also help to prevent accidental malformed input interruptions, such as error explanations and reloads on standard web application forms (Dalal et al. 2003, pp. 12).

In addition to the accidental interruptions and potential shut-downs and/or data losses that can occur, purposeful attacks that attempt to either access, delete, or corrupt information or application processes must also be guarded against. Rigorous testing by subjecting programs to attack-like scenarios is the best method for developing effective defense mechanisms to such attacks (Dalal et al. 2003, pp. 39). Alerting system administrators and shutting off access to certain application processes entirely are essential elements of many software defense mechanisms, though these can cause slow-downs of their own (Stuttard & Pinto 2007).

Finally, ensuring security and protection means enabling managers and administrators to have oversight over system use, functionality, and activity, and the necessary latitude to adjust access and functions when necessary. Allowing for such access necessarily creates a point of weakness, and this must be carefully guarded against through many levels of protection (Stuttard & Pinto 2007). Many of the same steps that are employed in access differentiation as described above can also be employed here -- multiple levels of access that is password protected, strict compartmentalization of data and of processes, and other features such as the recognition and removal of malicious input can all protect the opening that is created by administrative access to application information and code (Stuttard & Pinto 2007). Password-protected access to a web application's source code is one common example of this type of core defense capability, which grows more complex as both the complexity of the system and needs for security increase.

Direct Attacks and Unauthorized Use: A More Detailed View

Direct attacks on applications, especially web-based applications, are becoming increasingly common as programming knowledge and skills continue to develop and become more widespread. Defense mechanisms against such attacks include encryption, frequently changing passwords, and psychological deterrents such as false weak spots or even fake access points (Stuttard & Pinto 2007). As hackers continue to find ways through security systems, however, these systems continue to develop more advanced and more thorough safeguards.