Securing your system starts with application security. The vast majority of security weaknesses exploited by viruses, worms and other malware are due to poor application design. Do software programmers intentionally introduce weaknesses into the applications they create? No, the problem is one of TRUST. Software developers trust their programs to be used the way they are designed. They trust users to respect the bounds of data input (buffer overflow vulnerability). They trust users to enter input that is asked for, not embed HTML in data entry fields (cross site scripting vulnerability) or SQL commands (SQL injection vulnerability). They trust the network to be secure so data is not "sniffed" on the transportation between a browser and a server (lack of encryption vulnerabilities). They trust passwords to be strong and rotated often.
Unfortunately, TRUST is not a good practice today in application development.
There was a time long ago (in computer "years") when trust was the common model for applications. The Internet itself was built upon a model of "trust and cooperation". Application vulnerabilities were often well-known and corrected when the software developers could find time. Robert Morris, Jr. broke this bubble of naive trust when he unleashed the first network "worm" in 1988 -- which exploited commonly known vulnerabilities in applications to propagate uncontrollably throughout the Internet. There was also a time, back in the 1980s, when running a program on your personal computer would do only what the author designed. That "naive bubble of trust" was broken when some clever programmers discovered that one could add code to executables and make them do something different. Viruses, too, were born in the early 1980s but they were somewhat contained from rapid propagation by floppy disks. When PC's became networked, and E-mail became ubiquitous, viruses exploded into a major problem.
In today's environment, TRUST is a software developer's worst enemy. How do programmers develop good security skills to combat trust? By anticipating the worst, by educating themselves on the ways exploits happen, and by developing best practices for designing applications that stand up to untrustworthy uses. It is the goal of Application Security at UNO to raise awareness of some of the common pitfalls of TRUST in application development, and to develop some best coding practices to help deliver secure applications. In developing a good, secure set of standard practices for writing code, we can minimize the risk thst malicious users will break our applications to gain access to servers, to download confidential information, and worse.
Websites and tutorials that help develop secure coding practices
Writing secure code is a growing concern for many IT professionals and organizations who want to make sure malicious users cannot misuse their code. Below are several websites and tutotials which address this issue.