Sunday, January 11, 2015

Software Engineering Security part 4: Definitions and Language

This blog has covered assigning severity to vulnerabilities, but we haven’t covered the definitions of vulnerabilities.

A vulnerability is a weakness in software. For a vulnerability to be exploited there must be a weakness in the system, it must be exposed to an attacker, and it must be exploitable by the attacker.

Security works best in layers, so eliminate or mitigate all three of these possibilities to reduce vulnerabilities in software.

To reduce the number of weaknesses, use secure development practices and a secure development lifecycle.

To reduce exposure, limit the software’s threat surface. Limit the number of services exposed externally, use a firewall, and ensure that untrusted user input goes through a trusted and secured code path.

It’s hard to reduce all exploitability vectors since attacks only get better and future attack methods can’t be reliably predicted. Host-based intrusion protection such as SELinux, stack protection, and ASLR work reliably but take diligence and effort to ensure they are always enabled and kept up to date.

Finally, consider exposure when assigning vulnerability severity. Often a vulnerability has severe consequences but can be mitigated by disabling a service or feature. Calculate the CVSSv2 score for different scenarios and consider how best to mitigate a vulnerability.