Critical Control 7: Application Software Security
- Sunday, February 7, 2010, 7:52
- Threat Research
Critical Control 7: Application Software Security
When a programmer creates code for a program, their main focus is to ensure they deliver working code on time. They do not take the time to ensure that all of the code is free of security vulnerabilities. The assumption is made that this will be done during other phases of the development process. Attacks against vulnerabilities in Web-based and other application software have been a top priority for criminal organizations in recent years. Application software that does not properly check the size of user input fails to sanitize user input by filtering out unneeded but potentially malicious character sequences, or does not initialize and clear variables properly could be vulnerable to remote compromise. Attackers can inject specific exploits, including buffer overflows, SQL injection attacks, and cross-site scripting code to gain control over vulnerable machines. In one attack, more than 1 million Web servers were exploited and turned into infection engines for visitors to those sites using SQL injection. During that attack, trusted Web sites from state governments and other organizations compromised by attackers were used to infected hundreds or thousands of browsers that accessed those websites. Many more Web and non-Web application vulnerabilities are discovered on a regular basis.
To avoid such attacks, both internally developed and third-party application software must be carefully tested to find security flaws. For third-party application software, enterprises should
Continue reading...