Java Reference
In-Depth Information
Vulnerability can be deined as the lack of a safeguard causing a weakness that could be
exploited. Vulnerabilities have always been an inherent part of any computing system. Network
devices, operating systems, and applications have always been rife with vulnerabilities through
the ages. Network devices have been plagued with vulnerabilities, the exploiting of which has led
to the control of the device being lost to attackers. he operating system space has always been
plagued with vulnerabilities, Windows operating systems being the prime victim. Exploits written
for Windows OS * have led to complete compromise of the devices and, in some cases, a compro-
mise of several other systems on the network connected to it. Web servers and databases have not
been far behind. Apache, one of the most popular Web server platforms in the world with over
a 67% market share, has had a huge number of exploits written by various attackers or hacking
enthusiasts all over the world for its vulnerabilities. hese can also result in anything from steal-
ing of user sessions to complete control over the server. SQL Server and MySQL, two popular
database platforms, have also had a great deal of exploits written for their several vulnerabilities.
Vulnerabilities are perpetrated at various stages in the development and deployment of a system or
application. he types of vulnerabilities can be broadly classiied into the following:
Design vulnerabilities
Coniguration vulnerabilities
Development vulnerabilities
5.4.1.1 Design Vulnerabilities
Design vulnerability can be deined as vulnerability inherent in the design or speciication of
hardware or software whereby even a perfect implementation will result in vulnerability. hese
are the ones that are extremely diicult to ix. As the name suggests, design vulnerabilities are
those that are formed during the design phase. he design of the application is formulated at
the earlier stages of the application development life cycle. Based on a ixed design speciica-
tion, the development phase commences. As one can imagine, it is imperative for the appli-
cation design to be as comprehensive as possible. he application architects must mull over
several issues and variables to come up with a design speciication, based on the requirements.
Design vulnerabilities are vulnerabilities that permeate into the application, due to a lawed
application design. For instance, let us assume that an application has not been designed to
log critical information; it is a clear design law, because the application architects have not
taken logging into account during development of the detailed design speciications for the
application, which has resulted in a lawed application design in the form of a lack of logging
capability. Logging is an important security requirement and functional requirement, because
logging can help the organization trace the root of a problem. Only with efective logging can
the organization discover whether an individual gained unauthorized access to an application
or attempted an unauthorized access to the application. To introduce logging into the applica-
tion once it has been developed or even halfway through its development requires considerable
additional time and efort in formulating a log management strategy, creating a design for the
same, and actually fructifying the request through coding. An efective risk assessment for Web
applications helps greatly in reducing design vulnerabilities that may otherwise manifest in a
Web application.
* Exploits and their descriptions for all OS, network device, database and server platforms can be found here:
http://www.securityfocus.com/bid.
Search WWH ::




Custom Search