What is Security? how imporatnce in todays world

Security Definition: Security means that the right information (not the wrong information) is available to the right people (not the wrong people) at the right time (not the wrong time)

Security is a mindset : Security must be considered throughout the software development life cycle, and incorporated as the system develops. Current security practices focus on securing networks and patching software, but these approaches are insufficient remedies for a number of reasons:
•85% of CERT security advisories could not have been prevented with cryptography [Schneider, 1998]
•Software patches are produced only after one or more systems have already been exploited
•System administrators sometimes are not aware that patches are available
•Software patches in themselves can introduce errors and/or further vulnerabilities
•Security is something that is proven over time through successful, repeated usage. No system is completely secure, but a system that customers can rely upon to maintain the integrity and privacy of their data





Common Problems and Exposures

•SQL Injections
•Client-side Validation Dependencies
•Buffer Overflows
•Cross Site Scripting (XSS/CSS)
•XML Injection
•Data Security


These are common problems that are seen in applications. The majority of exposures that lead to vulnerabilities are included here. Correct parameter validation and correct SQL coding practices can remove these exposures from your applications.



Buffer overflows occur in unmanaged code such as (C, C++, VB, etc.). When parameters that are used by unmanaged code are not bounds checked, it is possible to overflow the buffer that is used to store the parameter which causes a stack exception. If an attacker places byte code correctly into the buffer when causing a buffer overflow, it is possible to execute any code that the attacker desires.


If the developer asserts the minimum and maximum lengths of fields during development then it is possible to catch many buffer overflows through the quality assurance and testing phase of development.
SQL exceptions can be caused when a field that has a static length described in the database and the application tries to store more than the specified length of data to the database. Though the buffer overflow in this case causes an exception and the data isn’t actually stored in the database, since the size of the parameter was not validated then the exception occurs


Cross site scripting should not be confused with cascading style sheets. The most common acronym for cross site scripting is XSS however some have adopted CSS as easier to understand however this causes confusion often. Cross site scripting has nothing to do with cascading style sheets.
Cross site scripting is the ability for an attacker to enter HTML and/or script tags into a field on a web server which then displays the data to another client of the web server where the scripting code is executed. Anytime that an application allows user input that can be seen/downloaded by another user. That field should be tested for an exposure to an XSS attack.

Best Practices

•Validate all parameters
•Use SQL parameter lists
•Don’t trust client-side validation
•Don’t generate data on the client
•Don’t store sensitive data on the client
•Custom authentication mechanisms should hash the password