Programs and Programming

• This chapter investigates vulnerabilities caused by programmers.
• Programming security failures can be intentional or unintentional.
• Problems with software can occur anywhere
  • In the design (bad design)
  • In the code (bad coding)
  • In the tools used by the code (bad coding, use of tool, ...)
  • In the setup of the application (bad configuration)
  • In the use of the application (bad user)
  • Hardware failure
  • System failure
• And the result can be anywhere from not noticeable to catastrophic.
• There is no standard terminology for these errors
  • This is a discussion of a proposed but inactive IEEE standard
  • We normally refer to any non-syntax error as a bug.
  • A human can make an error
  • This error can lead to a fault or an incorrect step in a process.
    • They point out that a design fault can lead to a coding error.
    • And an error may lead to many faults.
  • A failure is a departure from a systems required behavior.
    • A fault is an inside view of a problem.
    • A failure is an outside view.
    • The faulty code may never be executed
    • But once it is, it can become a failure.
  • Finally a flaw is the term security professionals use to describe any type of software fault or failure.
• They point out that when using software
  • It is common not to notice minor flaws.
  • Or to assume that these are user errors.
  • Programmers produce code with flaws. (That is a solid positive statement)
  • And despite testing, flaws exist and persist.
• Flaws have two security implications
  • They can pose a threat to the integrity of the system.
    • Incorrect computations -> faulty data.
    • Data can be
      • Incorrectly computed
      • Overwritten or destroyed
    • But this could lead to a broken system which impacts availability.
    • Or even incorrectly protected data that can compromise the confidentiality of the system.
  • They can be exploited by a malicious actor.
• They look at several types of programming errors.