Introduction to Software Security

Concepts

Marco Vieira and Nuno Antunes

Abstract The main problem faced by system administrators nowadays is the

protection of data against unauthorized access or corruption due to malicious
actions. In fact, due to the impressive growth of the Internet, software security has
become one vital concern in any information infrastructure. Unfortunately,
software security is still commonly misunderstood. This chapter presents key
concepts on security, also providing the basis for understanding existing
challenges on developing and deploying secure software systems.

Keywords Security Software security Security testing
Software vulnera-



bilities Security benchmarking Vulnerability injection
Attack injection

Secure software development

1 Introduction

Security, ‘‘the practice of building software to be secure and function properly

under intentional malicious attack’’ [13], is an integrative concept that includes
four key properties [1]: confidentiality (absence of unauthorized disclosure of a
service or piece of information), authenticity (guarantees that a service or piece of
information is authentic), integrity (protection of a service or piece of information
against illicit and/or undetected modification), and availability (protection against
possible denials of service caused maliciously). To achieve these properties

M. Vieira (&)
N. Antunes

Department of Informatics Engineering, University of Coimbra,
DEI, Pólo II—Universidade de Coimbra, 3030-290 Coimbra, Portugal
e-mail: mvieira@dei.uc.pt

D. Cotroneo (ed.), Innovative Technologies for Dependable OTS-Based Critical Systems, 29

DOI: 10.1007/978-88-470-2772-5_3,  Springer-Verlag Italia 2013
30 M. Vieira and N. Antunes

several security mechanisms have been developed in the past, targeting especially
subsystems such as operating systems, database management systems, and web
servers. These mechanisms can be classified as follows [1]:
• Secure channels and envelops: mechanisms that provide communication in a
secure way. The information is transmitted thought the network using secure
channels or encapsulated in envelops.
• Authentication: mechanisms that assure that the data accessed by the users is
authentic.
• Protection and authorization: mechanisms that protect resources and data
from unauthorized access and guarantee that users only do what they are
authorized to do.
• Auditing and intrusion detection: these mechanisms allow a posteriori
analysis of the accesses to resources and data, allowing the detection of
unauthorized accesses or anomalous usage.
In practice, the goal of security is to protect systems and data from intrusion.
The risk of intrusion is related to the system vulnerabilities and the potential
security attacks. The system vulnerabilities are an internal factor related to the set
of security mechanisms available (or not available) in the system, the correct
configuration of those mechanisms, and the hidden flaws on the system
implementation. Many types of vulnerabilities are known and also taxonomies to
classify them [22]. Vulnerability prevention consists on guarantying that the
software has the minimum vulnerabilities possible. On the other hand, as the
effectiveness of the security mechanisms depend on their correct configuration,
the system administrator must correctly configure the security mechanisms by
following administration best practices. Vulnerability removal consists on
reducing the vulnerabilities found in the system. The administrator must pay
attention to the new security patches release by software vendors and install those
patches as soon as possible. Furthermore, any configuration problems detected on
the security mechanisms must be immediately corrected.
Security attacks are an external factor that mainly depends on the
intentionality and capability of humans to maliciously break into the system
tacking advantage of vulnerabilities. In fact, the success of a security attack
depends on the vulnerabilities of the system and attacks are harmless in a system
without vulnerabilities. On the other hand, vulnerabilities are harmless if the
system is not subject of security attacks. The prevention against security attacks
includes all the measures needed to minimize or eliminate the potential attacks
against the system. Attack removal is related to the adoption of measures to stop
attacks that have occurred before.
Secure Software behaves correctly in the presence of a malicious utilization
(attack), even though software failures may also happen when the software is used
correctly [12]. Thus, many times software development and testing concerns only
with what happens when software fails and not with the intentions. This is where
the difference between software safety and software security lies: in the presence
of an intelligent adversary with the intention of damaging the system.
Introduction to Software Security Concepts 31

In the last two decades, the World Wide Web radically changed the way people
communicate and do business. Even critical infrastructures like water supply,
power supply, banking, insurance, stock market, retail, communications, defense,
etc., nowadays rely on networks, on the web and on the applications that run in
these distributed environments. The problem is that, as the importance of the assets
stored and managed by web applications increases, so does the natural interest of
malicious minds in exploiting this new streak. In fact, web applications are so
widely exposed that any existing security vulnerability will most probably be
uncovered and exploited by hackers. Hence, the security of web applications is a
major concern and is receiving more and more attention from the research
community. However, in spite of this growing awareness of security aspects at
web application level, there is an increase in the number of reported attacks that
exploit web application vulnerabilities [3, 21]. In fact, hackers have moved their
focus beyond network attacks to the exploitation of vulnerabilities in the code of
web applications. This poorly programmed code represents the current major risk
in software security as they are the target of attacks that explore applications’
inputs with specially tampered values. These values take advantage of existing
vulnerabilities, representing a considerable danger to the application’s owner
(e.g., by giving to an attacker privileges to read, modify or destroy reserved
resources).
To prevent vulnerabilities developers must apply best coding practices, perform
security reviews, execute penetration testing, use code vulnerability detectors, etc.
Still, many times developers focus on the implementation of functionalities and on
satisfying the costumer’s requirements and disregard security aspects. Also, most
developers are not security specialists and the common time-to-market constraints
limit an in-depth search for vulnerabilities. Another problem is that, traditional
security mechanisms like network firewalls, intrusion detection systems (IDS), and
encryption, are not able to mitigate web application attacks because they are
performed through ports that are used for regular web traffic [20] and even
application layer firewalls cannot protect the applications as that requires a deep
understanding of the business context [18]. In this scenario, a large effort should be
put on improving the state of the art in the security of software systems.
This chapter surveys key concepts, techniques and tools for developing and
deploying secure software, namely:
• Security Testing. Techniques and tools for detecting vulnerabilities have the
greatest importance to help developers producing more secure code. Penetration
testing and static code analysis are the two techniques most used by web service
developers to detect security vulnerabilities in their code [22]. Section 2
overviews the key concepts on security testing.
• Vulnerability and Attack Injection. The goal of vulnerability injection is to
provide the means to introduce realistic vulnerabilities in applications code. This
methodology is extremely useful in different contexts, including: (1) for training
security teams; (2) to evaluate security teams in a controlled environment; (3) to
estimate the total number of vulnerabilities still present in the code; and (4) as a
32 M. Vieira and N. Antunes

building block for an attack injection tool. Attack injection is a methodology to

automatically attack applications, which can be a valuable tool for testing
various counter measure mechanisms, like IDS, Firewalls, Vulnerability
Scanners, etc. Section 3 overviews the key concepts on vulnerability and attack
injection.
• Security Benchmarking. Security evaluation methodologies available
nowadays have several limitations. Either they are too complex, too costly, or
applicable only to particular parts of a system. This way, comparing different
alternatives in terms of security is a difficult assignment faced by many system
administrators. Security benchmarking allows assessing and comparing the
security of systems and/or components, allowing making informed decisions
while designing, developing, and deploying complex software systems.
Section 4 presents the main concepts on security benchmarking.
• Secure Software Development. Avoiding software vulnerabilities depends on
the best practices and tools applied during the implementation, testing and
deployment phases of the software development cycle. However, many times
those practices are disregarded, as developers are frequently not specialized in
security and face hard time-to-deploy constraints. Realizing the benefits of
secure coding and the limitations of existing processes requires rethinking the
way we build software. Section 5 provides an introduction to key security
aspects that should be kept in mind when developing software, putting into the
context of the software process the techniques presented before.

2 Security Testing

To identify security issues, developers must focus not only on testing the
functionalities of the application but also on searching for dangerous security vul-
nerabilities that are present in the code and that can be maliciously exploited [12].
This includes applying best coding practices, performing security inspections,
execute penetration tests, static code analysis, etc. [22]. However, many times
developers do not have the required security training and/or the hard time-to-market
constraints make them to focus on satisfying the user’s functional requirements,
disregarding security aspects. In this scenario, automated tools have a very
important role on helping the developers to produce less vulnerable code.
Different techniques for the detection of vulnerabilities have been proposed in
the past [22], but in practice these techniques can be divided in two main groups:
White-box analysis, which consists of examining the code of the application
without executing it (this can be done in one of two ways: manually during code
inspections and reviews or automatically by using automated analysis tools); and
Black-box testing, which refers to the analysis of the program execution from an
external point-of-view (in short, it consists of exercising the software and
Introduction to Software Security Concepts 33

comparing the execution outcome with the expected result). Black-box testing is
probably the most used technique for verification and validation of software.
The main limitation of black-box approaches is that vulnerability detection is
limited by the output of the application. On the other hand, white-box analysis
does not take into account the runtime view of the code. Gray-box approaches
combine black-box and white-box techniques in order to overcome their
limitations. A preliminary analysis of the code can be used to find possible
vulnerable points or to establish the attacks to perform in a later phase. Another
option is to use code instrumentation to obtain more information about the internal
status of the application.
Chapter 12 (Security Testing in SOAs: Techniques and Tools) of this book
discusses existing techniques and tools to perform security testing in web
applications and services. Additionally, the chapter discusses the new security
challenges raised by the Service Oriented Architecture (SOA) concept, also
proposing research directions on required techniques and tools.

3 Vulnerability and Attack Injection

The use of fault injection techniques to assess security is a particular case of

software fault injection (discussed in detail in a previous chapter), focused on the
software faults that represent security vulnerabilities or may cause the system to
fail in avoiding a security problem. Security vulnerabilities are in fact a particular
case of software faults, which require adapted injection approaches. In [6] the
vulnerabilities of six web applications were analyzed using field data based on a
set of 655 security fixes. Results show that only a small subset of 12 generic
software faults is responsible for all the security problems. In fact, there are
considerable differences by comparing the distribution of the fault types related to
security with studies of common software faults.
Neves et al. proposed a tool (AJECT) focused on discovering vulnerabilities on
network servers, specifically on IMAP servers [17]. In their work the fault space is
the binomial (attack, vulnerability) creating an intrusion that may cause an error
and, possibly, a failure of the target system. To attack the target system they used
predefined test classes of attacks and some sort of fuzzing.
A procedure inspired on the fault injection technique (that has been used for
decades in the dependability area) targeting security vulnerabilities is proposed in [6].
In this work, the ‘‘security vulnerability’’ plus the ‘‘attack’’ represent the space of the
‘‘faults’’ that can be injected in a web application; and the ‘‘intrusion’’ is the ‘‘error’’
[5, 7]. To emulate with accuracy real world web vulnerabilities this work relies on the
results obtained in a field study on real security vulnerabilities, which were used to
develop a novel Vulnerability Injection tool.
Conceptually, attack injection is based on the injection of realistic vulnerabilities
that are automatically attacked, and finally the result of the attack is evaluated. As
proposed in [7], a tool able to perform vulnerability and attack injection is a key
34 M. Vieira and N. Antunes

instrument that can be used in several relevant scenarios, namely: building a

realistic attack injector, train security teams, evaluate security teams, and estimate
the total number of vulnerabilities still present in the code, among others.

4 Security Benchmarking

Several security evaluation methods have been proposed in the past [4, 10, 19, 24].
The Orange Book [19] and the Common Criteria for Information Technology
Security Evaluation [10] define a set of generic rules that allow developers to specify
the security attributes of their products and evaluators to verify if products actually
meet their claims. Another example is the red team strategy [24], which consists of a
group of experts trying to hack its own computer systems to evaluate security.
The work presented in [11] addresses the problem of determining, in a thorough
and consistent way, the reliability and accuracy of anomaly detectors. This work
addresses some key aspects that must be taken into consideration when
benchmarking the performance of anomaly detection in the cyber-domain.
The set of security configuration benchmarks created by the Center for Internet
Security (CIS) is a very interesting initiative [2]. CIS is a non-profit organization
formed by several well-known academic, commercial, and governmental entities
that has created a series of security configuration documents for several commercial
and open source systems. These documents focus on the practical aspects of the
configuration of these systems and state the concrete values each configuration
option should have in order to enhance overall security of real installations.
Although CIS refers to these documents as benchmarks they mainly reflect best
practices and are not explicitly designed for systems assessment or comparison.
Vieira and Madeira proposed a practical way to characterize the security
mechanisms in database systems [23]. In this approach database management
systems (DBMS) are classified according to a set of security classes ranging from
Class 0 to Class 5 (from the worst to the best). Systems are classified in a given
class according to the security requirements satisfied.
In [15] the authors analyze the security best practices behind the many
configuration options available in several well-known DBMS. These security best
practices are then generalized and used to define a set of configuration tests that
can be used to compare different database installations. A benchmark that allows
database administrators to assess and compare database configurations is presented
in [14]. The benchmark provides a trust-based security metric, named minimum
untrustworthiness, that expresses the minimum level of distrust the DBA should
have in a given configuration regarding its ability to prevent attacks.
The use of trust-based metrics as an alternative to security measurement is
discussed in [16]. Araújo and Vieira also proposed a trustworthiness benchmark
based on the systematic collection of evidences (collected using static analysis
techniques) that can be used to select one among several web applications, from a
security point-of-view.
Introduction to Software Security Concepts 35

5 Security in the Software Process

A software development process is composed of multiple phases [8]. To improve

the situation in software security it is important not only to understand the existing
approaches and tools but also to adequately integrate them in the development
process, i.e., to use such approaches and tools in the points of the process where
they can make the difference. Different authors divide the software process in
different ways, but usually software development includes the following phases
(which can be repeated in an iterative manner): initialization, design,
implementation, testing, deployment and decommissioning. Figure 1 shows a
simplified representation.
The process starts with requirements gathering (including security
requirements), followed by specification and design, implementation (coding),
testing and deployment. Decommission takes place when the product is not useful/
used anymore. Although code security concerns should be addressed during the
entire software product development lifecycle, as highlighted by [13] especial
focus should be put in three key phases [9]: implementation, testing, and
deployment. The next points summarize the main challenges and put in the context
of these three phases the concepts, techniques and tools introduced in the previous
sections:
• Implementation: during coding we must use best practices that avoid the most
critical vulnerabilities in the specific application domain. Examples of practices
include input and output validation, the escaping of malicious characters, and the
use of parameterized commands [22]. Vulnerability and attack injection tech-
niques have in this phase a very important job in the evaluation of the best
security testing tools to use. Also, for the success of this phase, it is essential to
adequately train the development teams. For instance, experience shows that the
main reason for the vulnerabilities existing in web application’s code is related to
training and education. First, there is a lack of courses/topics regarding secure
design, secure coding, and security testing, in most computer science degrees [9].

Fig. 1 Simplified version of a software product lifecycle

36 M. Vieira and N. Antunes

Second, security is not usually among the developers’ main skills as it is

considered a boring and uninteresting topic (from the development point-of-
view), and not as a way to develop new and exciting functionalities.
• Testing. As introduced in Sect. 2, there are many security testing techniques
available for the identification of vulnerabilities during the testing phase [22].
To mitigate vulnerabilities, it is necessary to have well-trained teams read that
adequately apply those techniques during the development of the application.
The problem is that software quality assurance teams typically lack the
knowledge required to effectively detect security problems. It is necessary to
devise approaches to quickly and effectively train security assurance teams in
the context of web applications development, by combining vulnerability
injection with relevant guidance information about the most common security
vulnerabilities. Also, benchmarking techniques should be applied to assess,
compare, and select the most adequate security testing tools for each concrete
scenario.
• Deployment. At runtime, it is possible to include in the environment different
attack detection mechanisms, such as Intrusion Detection Systems (IDS) and
Web Application Firewalls (WAF), among others. These mechanisms can
operate at different levels and use different detection approaches. The main
problems preventing their use are related to the performance overheads and to
the false positives that disrupt the normal behavior of the system. In this phase,
security benchmarking plays a fundamental role in helping to select the best
alternatives (in terms of servers, security mechanisms, etc.) to use, according to
specific security requirements. Also, vulnerability and attack injection tech-
niques represent in this phase an efficient way to evaluate the effectiveness of
attack detections mechanism to be installed.

6 Conclusions

Essential for deploying secure systems is the ability to understand aspects in the
context of the software development process. Furthermore, it is of extreme
importance for software designers and developers to have at hand practical
approaches that allow an effective assessment of the security attributes of the
software components being designed/deployed.
This chapter presented key concepts, techniques and tools for developing secure
software systems. The chapter did not intend to provide a comprehensive survey,
but to focus on the aspects researched during the CRITICAL STEP project,
making it useful for the partners involved, in particular for the industrial partners,
and for other external partners that face similar challenges in the context of the
software industry.
Introduction to Software Security Concepts 37

References

1. Cachin, C., Camenisch, J., Deswarte, Y., Dobson, J., Horne, D., Kursawe, K., Laprie, J.-C.,
Lebraud, J.-C., Long, D., McCutcheon, T., Muller, J., Petzold, F., Pfitzmann, B., Powell, D.,
Randell, B., Schunter, M., Shoup, V., Veríssimo, P., Trouessin, G., Stroud, Robert J.,
Waidner, M., Welch, I.S.: MAFTIA: reference model and use cases (2000)
2. Center for Internet Security. http://www.cisecurity.org/
3. Christey, S., Martin, R.A.: Vulnerability type distributions in CVE. V1. 0. 10, 04 (2006)
4. Commission of the European Communities: The IT security evaluation manual (ITSEM)
(1993)
5. Echtle, K., Leu, M.: The EFA fault injector for fault-tolerant distributed system testing. In:
Workshop on Fault-Tolerant Parallel and Distributed Systems. IEEE Computer Society Press,
Amherst (1992)
6. Fonseca, J., Vieira, M., Madeira, H.: Testing and comparing web vulnerability scanning tools
for SQL injection and XSS attacks. In: 13th Pacific Rim International Symposium on
Dependable Computing (PRDC 2007) (2007)
7. Fonseca, J., Vieira, M., Madeira, H.: Vulnerability & attack injection for web applications.
In: IEEE/IFIP International Conference on Dependable Systems & Networks, 2009, DSN ‘09
(2009)
8. Ghezzi, C., Jazayeri, M., Mandrioli, D.: Fundamentals of software engineering. Prentice Hall
PTR, Upper Saddle River (2002)
9. Howard, M., Leblanc, D.E.: Writing Secure Code. Microsoft Press, Redmond (2002)
10. Infrastructure, P.K., Profile, T.P.: Common criteria for information technology security
evaluation. National Security Agency (2002)
11. Maxion, R.A., Tan, K.M.C.: Benchmarking anomaly-based detection systems. In:
Proceedings International Conference on Dependable Systems and Networks, 2000, DSN
2000 (2000)
12. McGraw, G., Potter, B.: Software security testing. IEEE Secur. Priv. 2(5), 81–85 (2004)
13. McGraw, G.: Software security: building security in. Addison-Wesley Professional, Boston
(2006)
14. Neto, A.A., Vieira, M.: A trust-based benchmark for DBMS configurations. In: 15th IEEE
Pacific Rim International Symposium on Dependable Computing, PRDC ‘09, pp. 143–150
(2009)
15. Neto, A.A., Vieira, M.: Towards assessing the security of DBMS configurations. In: IEEE
International Conference on Dependable Systems and Networks with FTCS and DCC, DSN
2008, pp. 90–95 (2008)
16. Neto, A.A., Vieira, M.: Benchmarking untrustworthiness. Int. J. Dependable Trustworthy Inf
Syst 1(2), 32–54 (2010)
17. Neves, N., Antunes, J., Correia, M., Verissimo, P.: Using attack injection to discover new
vulnerabilities. In: International Conference on Dependable Systems and Networks, DSN
2006 (2006)
18. OWASP Foundation: OWASP application security FAQ version 3. http://www.owasp.org/
index.php/OWASP_Application_Security_FAQ
19. Qiu, L., Zhang, Y., Wang, F., Kyung, M., Mahajan, H.R.: Trusted computer system
evaluation criteria. In: National Computer Security Center (1985)
20. Singhal, A., Winograd, T., Scarfone, K.: Guide to secure web services: recommendations of
the national institute of standards and technology. Report, National Institute of Standards and
Technology, US Department of Commerce (2007)
21. Stock, A., Williams, J., Wichers, D.: OWASP top 10 (2007)
38 M. Vieira and N. Antunes

22. Stuttard, D., Pinto, M.: The web application hacker’s handbook: discovering and exploiting
security flaws. Wiley, Chichester (2007)
23. Vieira, M., Madeira, H.: Towards a security benchmark for database management systems.
In: International Conference on Dependable Systems and Networks, DSN 2005 (2005)
24. Sandia National Laboratories: Information operations red team and assessmentsTM. http://
www.sandia.gov/iorta/