I would start with the quote of Gene Spafford as “Security is like adding brakes to cars. The purpose of brakes is not to stop you: it’s to enable you to go fast!” -. Software security is the idea of engineering software so that it continues to function correctly under malicious attack. A central and critical aspect of the computer security problem is a software problem. Software defects with security ramifications—including implementation bugs such as buffer overflows and design flaws such as inconsistent error handling— promise to be with us for years. All too often, malicious intruders can hack into systems by exploiting software defects. Internet-enabled software applications present the most common security risk encountered today, with software’s ever-expanding complexity and extensibility adding further fuel to the fire. By any measure, security holes in software are common, and the problem is growing. [Graw2001].In the client/Server mechanism, the client machine most of the time pose a threat to security where it can shift such threat to server security and its data. The same problem can be created in the web server where client usually access such servers. Securing a communication between the client and the server within the client/server and over the web; starts from securing the client side and its applications. Security issues in the client side can exist on the browser side in software such as IE and on the server side in software such as IIS [Wilson and Craske 1999].

IIS had many vulnerability issues in the past that affected a lot of organizations and small business [Claburn 2009], and some of these vulnerabilities are:

Denial-of-Service attacks: such attack is related to a stack overflow in the IIS FTP module. The solution for such problem as suggested by Microsoft is to turn off the FTP serves unless it is needed. Also, IIS should be implemented to prevent the creation of new directories [Claburn 2009] .

An Elevation of privilege attacks – such attack is launched by creating crafted anonymous HTTP that can request to gain access to a location that usually requires authentication. Such attack can be mitigated by enforcing the file system based ACL where the attacker will be restricted to the permissions granted to the anonymous user account within the system [Claburn 2009]. Zero-day attacks – such attack exploit code that can be used to create Denial of Service condition on Windows Server 2003 and Windows XP without requiring write access to the server file systems. To mitigate such attack, the NTFS file system need to be modified to disallow the directory creation by FTP users and also disallow FTP write access to anonymous users [Prince 2009].

File Transfer Protocol (FTP) attacks – such attack will happen when a certain code runs to install unauthorized software on the IIS. Such attack can happen only when the FTP is enabled, and as such; the attacks can be mitigated by disable the FTP capability on the IIS [Protalinski 2009].Internet Explorer (IE) is used by many users across the world, and such client application faces many security threats that can compromise the user’s computer and the server security [Prince 2007].Some of the security threats that IE faces over the past years are:

Crafted script (phishing site) attack – Such attack will create a crafted html local resource link with a script that will display a fake content of a trusted site. Once the link is clicked, it will display “Navigation Cancelled” page to push the victim to refresh the page, and the attack will provide the fake content to the user. To avoid such attack, users must be aware of the attack and don’t trust the “Navigation Cancelled”.

Inline Frames Attack – such attack happen via frames where such frames are used to serve web ads which comes from different domain than the content that appears on the same web page. Such frames don’t have restricted access to a document’s frames within the Internet Explorer and as such, attackers can modify the contents of the frames to direct users to different domains [Claburn 2009].

Code Execution Attack – such attack happens when the attackers code host a malicious crafted web page and run the code if the user was convinced to visit the web page, and press the F1 key to response to a pop-up page [Naraine 2010].

System File Attack – Such attack can be initiated based on a system file that is part of the Windows system files. In such attack the attacker will take control over the user’s computer via IE feature that lets the browsers control other Microsoft applications which run under a Windows system. Such control will be gained by the attacker during the user’s visit to the attacker’s web site [Thurrott 2005].

Network Security is the important task which is required be done after developing a network on any scale. There are many network security issues like anti spamming, Trojans, viruses, malware etc. There are some recommended steps which are of great importance keeping security of network in mind. If these steps are properly followed by network administrator, there are greater chances to avoid security threats of computer networks at the first place. Larger computer networks should be divided in segments for management of the network and ease in finding culprit systems. Internet access should be filtered by blocking port1433 and port 1434 or one can use different firewall software to implement such type of filters. Network administrator should make sure to keep all the systems including server updated. Third party security tools are also available and can be installed after testing for meeting better security measures. IT managers can also use powerful authentication methodologies to keep the network secure from security threats. If any application which requires admin rights for installation, only network administrator should install it, providing admin information to anyone else for assistance can be very risky. Older known threats can attack again, it should be in mind of network administrator to keep computer network secure from latest ones should also be secured from previously know attacks. Windows known services Telnet, Clipbook should not be disabled, they have certain task to perform, do not disable any default service until you are sure and you know what you are doing. Create, configure and implement security policies, implementing security policies can be useful in keep network secure. Keep network users educated on these policies and make sure to send out notice to all clients if any updates are made in these policies. A security problem is more likely to arise because of a problem in a standard-issue part of the system than in some given security feature. This is an important reason why software security must be part of a full lifecycle approach. Security should be explicitly at the requirements level. Security requirements must cover both overt functional security (say, the use of applied cryptography) and emergent characteristics. One great way to cover the emergent security space is to build abuse cases. Similar to use cases, abuse cases describe the system’s behaviour under attack. At the design and architecture level, a system must be coherent and present a unified security architecture that takes into account security principles (such as the principle of least privilege). Designers, architects, and analysts must clearly document assumptions and identify possible attacks. At both the specifications based architecture stage and at the class-hierarchy design stage, risk analysis is a necessity—security analysts should uncover and rank risks so that mitigation can begin. Disregarding risk analysis at this level will lead to costly problems down the road. External review (outside the design team) is often necessary. At the code level, we should focus on implementation flaws, especially those that static analysis tools—tools that scan source code for common vulnerabilities.

Some of the secure coding practices are  validate input from all un-trusted data sources, compile code using the highest warning level available for your compiler and eliminate warnings by modifying the code, create a software architecture and design your software to implement and enforce security policies,  keep the design as simple and small as possible, base access decisions on permission rather than exclusion, every process should execute with the least set of privileges necessary to complete the job, sanitize all data passed to complex subsystems such as command shells, relational databases, and commercial off-the-shelf (COTS) components, manage risk with multiple defensive strategies, so that if one layer of defence turns out to be inadequate, another layer of defence can prevent a security flaw from becoming an exploitable vulnerability and/or limit the consequences of a successful exploit, use good quality assurance techniques can be effective in identifying and eliminating vulnerabilities, adopt a secure coding standard,  identify and document security requirements early in the development life cycle and make sure that subsequent development artefacts are evaluated for compliance with those requirements, use threat modelling to anticipate the threats to which the software will be subjected , common implementation risks (buffer overflows, race conditions, randomness, authentication systems, access control, applied cryptography, and trust management) should be checked. Security testing must encompass two strategies: testing security functionality with standard functional testing techniques, and risk-based security testing based on attack patterns and threat models. A good security test plan (with traceability back to requirements) uses both strategies. Penetration testing is also useful, especially if an architectural risk analysis is specifically driving the tests. Operations people should carefully monitor fielded systems during use for security breaks. Simply put, attacks will happen, regardless of the strength of design and implementation, so monitoring software behaviour is an excellent defensive technique. Knowledge gained by understanding attacks and exploits should be cycled back into the development organization, and security practitioners should explicitly track both threat models and attack patterns. There are various tools available to address the security. These are ISO-9000, CMMs, CISSP, ISO-13335.Among these CMM is the most accepted because it is the accepted way of defining practices and improving capability.

While concluding I want to say that it will be easier to produce software that is secure if risk management activities and checkpoints are integrated throughout the development life cycle, from prior to its inception through the software’s decommissioning. Security should be considered as a holistic process rather than considering in isolation. Note that risks crop up during all stages of the software life cycle, so a constant risk analysis thread, with recurring risk tracking and monitoring activities, are highly recommended. Currently it is becoming clearer on security needs and so standards and regulations started including security mandates and following are some of them. IEEE P1074 gives project leaders a plan for including all aspects of the SDLC when making security related decisions. HIPAA seeks to establish standardised mechanisms for EDI, security and confidentiality to health care domain.PCI data security standard deals with the standards included in the requirements of Visa’s CISP and master cards SDP. Sarbanes Oxley deals with the system’s processing and maintaining financial data need to compliant with SOX requirement. SSE-CMM describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering. This model applies to all types and sizes of security engineering organizations and all their elements in those organizations.

These standards have brought necessity of application security at its priority to be compliant. Now it’s time for organizations security management thought process to adapt security needs into Application development. As a conclusion, I would go back defining security from Bruce Schneier’s quote that “Security is a process and not a product.”

References

________________________________________________________________________________

[1] [Clauburn 2009] Claburn, T. (2009) Microsoft Expands IIS Vulnerability Warning [Online]. Available from:http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=219501448 (Accessed: 24 August 2012).

[2] [Clauburn 2009] Claburn, T. (2009) Microsoft Internet Explorer Vulnerability Warning Issued [Online].Available from:http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=208801757 (Accessed: 24 August 2012).

[3] [Graw 2001] J. Viega and G. McGraw, Building Secure Software, Addison-Wesley, 2001;

[4] [Naraine 2010] Naraine, R. (2010) Microsoft Investigating new IE browser vulnerability [Online].Available from: http://www.zdnet.com/blog/security/microsoft-investigating-new-ie-browser-vulnerability/5560 (Accessed: 24 August 2012).

[5] [Pressman 2001] Pressman, R.S. (2001) Software Engineering: A Practitioner’s Approach. Mc Graw-Hill.

[6] [Prince 2009] Prince, B (2009) Microsoft IIS Vulnerability Get Hit By Attacks [Online]. Available from: http://www.eweekeurope.co.uk/news/news-security/microsoft-iis-vulnerability-gets-hit-by-attacks-1767 (Accessed: 24 August 2012).

[7] [Protalinski 2009] Protalinski, E. (2009) IIS vulnerability under limited attacks [Online]. Available from: http://arstechnica.com/microsoft/news/2009/09/microsoft-investigating-possible-vulnerability-in-iis.ars (Accessed: 24 August 2012).

[8] [Thurrott 2005] Thurrott, P (2005) Microsoft Preps Fix for Latest IE Vulnerability [Online]. Available from: http://www.windowsitpro.com/article/internet/microsoft-preps-fix-for-latest-ie-vulnerability.aspx (Accessed: 24 August 2012)

[9] [Wiegers 2009] Wiegers, K.E. (2009) Software Requirements Specification [Online]. Available from: http://www.processimpact.com/process_assets/srs_preview.pdf (Accessed: 27 August 2012).

[10] [Wilson and Craske 1999] Wilson, I. & Craske, N. (1999) Client/Server Security issues [Online]. Available from: http://www.melbpc.org.au/pcupdate/9908/9908article8.htm (Accessed: 24 August 2012).