Type Of Security Vulnerabilities Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Businesses and organizations use many different kinds of information systems to support various processes that a business needs to carry out its functions. Each information system has a life cycle from planning a new system to maintenance of the developed system. After planning and analysis for a new information system, design process follows based on the requirements defined and decisions made during analysis. Typical system design is about making sure that the new system should work properly to solve current business problems, and well designed systems should be prevented from expected and unexpected errors. System faults causing constant losses in productivity create not only functionally bad performance but also security vulnerabilities. Security vulnerability is a flaw in a product that makes it infeasible - even when using the product properly -to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming ungranted trust. [1] 

Even if security vulnerability does not usually affect functional performance, it enables hackers or malwares to attack the system resulting in devastating losses. In July 2009, the largest bank in the United Kingdom was fined 3.2 million British pounds (about 5.25 million US dollars) after losing media containing customer information, and sending confidential data through insecure third parties without encryption. [2] This is just one example that failed security results in not only direct penalty but also even more indirect expenses in terms of the loss of customer faith and loyalty from the negative publicity. As it is a tendency of getting larger and more complex, software are getting more vulnerable in security. Symantec, a leading vendor of security software, found 3,758 vulnerabilities in software in 2005, up 42 percent from the previous year. The U.S. Department of Commerce National Institute of Standards and Technology (NIST) reported that software flaws (including vulnerabilities to hackers and malware) cost the U.S. economy $59.6 billion each year. [3] It is natural that software reliability is generally accepted as the key factor in software quality and an essential ingredient in customer satisfaction.

Type of security vulnerabilities

The number of cyber attacks targeting organizations or companies is getting larger and more sophisticated. Most of the software reliability problems are the result of faulty code, and unreliable software with security problems, once discovered, will be exploited until they are fixed. But many companies are having trouble determining which threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first. Experts say the following common problems in software code, which programmers haven't bothered to mitigate, account for the vast majority of vulnerabilities. [4] 

Buffer overflows: If a programmer doesn't tell a program to limit the amount of data that can go into an input field, a malfeasant can stuff that field with tons of data, flooding other parts of memory and letting the bad guy take control of the system.

Format string vulnerabilities: Format strings are what tell, say, a printer how to present letters and numbers on a page. If a user inputs rogue code into the format string, they can take control of the computer, in a similar way to buffer overflows.

Canonicalization issues: An attacker can bypass security checks simply by knowing that when Y program handles X program's data, it doesn't do the same security check.

Inadequate privilege checking: Someone can slip in unchecked if a program doesn't ask for authentication at every doorway to features.

Script injection: If a programmer fails to strip out the capability to run script, attackers can enter and run it. For example, attackers could enter commands into a SQL database query that allows them to execute commands on the system.

Information leakage: Because of poor design, some programs expose their own playbooks-directory structures, configuration information, IP addresses, passwords-to attackers who know where to look for such information.

Error handling: A subset of information leakage, sometimes the way a program handles an error exposes information an attacker can use. For example, an e-mail bounces back and the error message might contain IP addresses, server names, or even type of server that let the attacker know how and where to hack.

Managing software vulnerabilities

To protect a system from security errors, several strategies can be taken from design phase to maintenance phase. New systems should be designed and implemented after in-depth security analysis and comprehensive beta test should follow to fix unrealized random faults. After releasing them, system administrators should update the most recent security patches. Companies also have to plan proper vulnerability scanning and patch management to protect systems against security vulnerabilities.

Proactive security design and implementation: To prevent a system from security errors, it is important to perform in-depth analysis about anticipated possible faults. These faults could be design faults, programming faults, or usage faults. While designing functional performance of a system is all about making sure that the new system should work properly, security design is about making sure that a system should not work for malicious exploitations of attackers. Because programmers must consider all possible cases but most of which would never be encountered under normal use, designing error-free security is more difficult than designing functionality. Implementation and alpha test are also not easy. Security faults made during implementation are not easily noticeable and do not affect functional performance. Testing all the possible security cases is also actually impossible in limited time and budget.

Comprehensive beta test: As designing perfectly error-free software and testing all the possible cases during development are difficult, beta testing would be next strategy to find unrealized faults. Beta test is the last phase of software testing in which a large group of users tries developed software (a beta version) and finds random faults. Beta testing enables real-world users to provide their suggestions and share their opinion with developers, so that the developers can fix unrealized errors and improve the quality of the software being tested.

Immediate security patch: Even if software is released after proper beta tests, security vulnerabilities will almost inevitably be found. To correct software vulnerabilities once they are identified, security patch is the immediate solution that is provided to users. The software vendors create small pieces of software so called patches to repair the flaws without disturbing the proper operation of the software and distribute through their web site. In larger operating systems, a special program is provided to manage and keep track of the installation of patches. Proper software patching is necessary for security, and it is user's responsibility updating and maintaining the most recent patches to prevent security problems. Some security experts estimate that over 99 percent of all Internet attacks could be prevented if the system administrators would just use the most current versions of their system software. [5] 

Vulnerability scanning and patch management: Most of Microsoft Operation System users including I know the importance of security patches. I have just one system and the only thing I need to update recent patches is clicking a small button, but actually it is troublesome works to update all the patches immediately. What if I have tens or hundreds of computers to maintain? It's difficult for companies to manage security patches systematically, because multiple, often conflicting, priorities must be balanced to minimize disruption to mission-critical systems. [6] So, companies need an effective patch management mechanism to survive the insecure IT environment. Effective patch management is a systematic and repeatable patch distribution process for closing IT system vulnerabilities in an enterprise. It involves pervasive system updates, including any or all the following: drivers, operating systems, scripts, applications, or data files. [7] Vulnerability scanning also can help companies to identify weaknesses in their systems. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities. Different scanners accomplish this goal through different means. [8] 


Security problems such as hacking or virus can be reduced but not eliminated completely because no one can ever know all the software vulnerabilities of all software used on systems. But companies that want to utilize information systems have to make best efforts to prevent security vulnerabilities. Even if security vulnerability does not affect functional performance, it could result in costly disaster. Because customers are getting care about their personal information stored in various locations, companies that failed in security can loss their customers' faith and loyalty. So companies should design and implement new systems with not only in-depth security analysis but also comprehensive beta test. System administrators also should perform updating the most recent security patches and proper vulnerability scanning.