Software Security

Mis. ZUBEDA KILUA

OUTLINE
 What is Software Security
 What are the threats to Software
 Importance of Software Security
 Issues Related to Software Security
 Types of IT Security
 Tools for Software Security
 Software Security vs. Cyber Security
 Best Practices for Software Security
 What is Software Security?

 Software Security is aimed at finding and reducing security

risks. These risks can be different and include external threats
in the form of cyber attacks or internal weak points due not
only to coding mistakes but also inadequate design or other
defects that may potentially exist in a particular piece of
software
 Essentially, software security is a shield from many threats
that if not addressed may cause data leaks, loss of money, or
users’ lack of trust in the company.
What are the threats to Software?

1. External Threats
 External threat is the term used for referring to the
likes of hackers, the criminals operating on the
internet and also the state’s sponsored entities. This
may allow them to use weak points in software in
order to steal confidential information and even
break into systems, thus stopping their functioning
or sending viruses.
Cont..
Common external threats include:
 Malware: Malware such as viruses, worms and ransomware may
enter through vulnerable software.
 Distributed Denial of Service (DDoS) Attacks: In essence,
these attacks are characterized by flooding of a system or a
network with traffic and making it inaccessible for users who need
to make genuine requests.
 Phishing: Therefore, attackers use deceitful ways of making
people reveal their confidential data like login credentials and other
finances.
 Data Breaches: One may lose vital data like personal information
or financial transactions, which can then be used by unwanted
individuals.
Cont..
2. Internal Threats
 These internal threats result from people within one
organization, whether inadvertently or purposely. They
may include:
 Insider Threats: Such privileged people such as
employees or others who have access to the software
may use it against the organization and steal data.
 Human Error: Unintentional employee behaviours
including, misconfiguration and accident data leaks are
among the main risks.
 Importance of Software Security

 Software security is one area that should not be underestimated,

because it affects people and institutions alike. Here are some of
the key reasons why software security is critical:
 Data Protection: Since most software are based on such
confidential data like personal or financial information. Failure of
securing software results into data breach, identity theft and
monetary losses.
 Business Continuity: Security incidents can put operations on
hold, resulting in revenue losses and a negative impact on the
image of an organization.
Cont..
 Regulatory Compliance: There are many countries across
the globe with rigid data protection laws, which cut across
industries and governments as well. Failure to comply may
lead to legal liabilities and loss of reputation.
 User Trust: Data handling must conform to user-
expectations, being highly confidential and careful.
Customers can lose faith in a company and refuse to buy its
products due to broken trust.
 Intellectual Property Protection: In many cases, this
software constitutes crucial intellectual property. It is
important to guard it from those that may use it without
permission and lose money.
Issues Related to Software Security

 There are numerous issues and challenges associated

with software security, such as ensuring
confidentiality/integrity, preserving availability,
detection of attacks or intruders/malwares/viruses, and
mitigation of damages after an intrusion has
occurred/deterrence/prevention.
 Some common issues include:
Cont..

 Complexity of Software: Finding and fixing security

holes as software gets more complicated.
 Evolving Threat Landscape: New forms of cyber
attacks and vulnerabilities appear frequently and thus
cyber threats are ever-changing.
 Lack of Awareness: Consequently, multiple
developers and organizations are unknowingly
running under secure programs.
Cont..
 Resource Constraints: With this comes the inability
of small organizations to set their focus on
provisioning for software security like in most cases
other organizations do. These involve provisioning for
security personnel as well as security tools in most
cases other organizations set their focus.
 Legacy Systems: It may prove challenging
especially with regard to maintaining the security of
outdated and old or “legacy” software, which may not
even benefit from modern security solutions.
Tools for Software Security

1. Static Application Security Testing

(SAST)
 Responsibility: Developers and code
reviewers.
 Description: SAST tools look into the source
code of various applications for vulnerabilities
as they are being developed. Some of the
SAST tools are such as Fortify, Checkmarx
and Veracode.
Cont..
2. Dynamic Application Security Testing
(DAST)
 Responsibility: Security teams and testers.
 Description: This is done by using DAST tools
that target active programs by mimicking
realistic exploits. Some of the widely used
DAST tools are Burp Suite, OWASP ZAP,
and Nessus.
Cont..
3. Web Application Firewalls (WAF)
 Responsibility: Security administrators.
 Description: WAFs are made for blocking
common internet based attacks such as XSS
and SQL injection that target web applications.
Some of the popular WAFs are ModSecurity
and Imperva.
Cont..
4. Intrusion Detection Systems (IDS) and
Intrusion Prevention Systems (IPS)
 Responsibility: Security teams and administrators.
 Description: IDS and IPS devices monitor traffic on
the internal network, looking for indications of
suspicious or malicious behavior, which they may
then alert for, or even prevent. The two most
commonly used open-source IDS/IPS’s are snort
and suricata.
 Cont..
5. Security Information and Event Management
(SIEM)
 Responsibility: Incident response team and security
analysts.
 Description: By monitoring security data generated
by different sources, organizations can detect and
respond to threats thanks to SIEM platforms. Some of
the SIEM tools are Splunk, LogRhythm, and IBM
QRadar.
 Cont..
6. Secure Coding Practices
 Responsibility: Developers.
 Description: Developers have the duty to write
secure codes and adhere to the best practices in
software development. It encompasses a number of
items, such as preventing most frequently
committed programming mistakes capable to
incorporate weaknesses.
Cont..

7. Security Training and Awareness

 Responsibility: All employees.
 Description: Security training and awareness
programs are vital to educate all employees
about potential threats and best practices to
mitigate them. It is everyone's responsibility
to be vigilant and report security concerns.
Cont..
8. Patch Management
 Responsibility: IT and security teams.
 Description: Addressing known
vulnerabilities requires keeping software and
its security patches updated regularly.
Best Practices for Software Security

Good software security has to be achieved through systems

engineering methodology combined with appropriate best practice
during software development lifecycle. Here are some key best
practices:
 Secure Coding: Secure coding guidelines and standards should
be followed by the developers, as well as their code must be
routinely examined for security problems and updated over time.
 Regular Patching: Regularly apply security patches and updates
of software as well as third-party components in time.
 Penetration Testing: Perform periodic pen-testing to uncover
weaknesses in software apps. This makes sure that the security
measures work out well.
 Cont..
 Access Control: Ensure the security of sensitive functions
and information by implementing strong access controls,
least privilege principle and authenticating measures.
 Encryption: Encrypt data both within an organization, and
while on its way out of the organization. This entails
encryption of confidential data, communications, and
memory.
 Security Training: Conduct regular security training and
awareness programs that should equip workers with
knowledge on typical dangers and reporting security-
related occurrences.
Cont..
 Incident Response Plan: Create a preparedness plan that
handles the security matters properly in order not to affect the
situations negatively due to failure of security measures applied.
 Secure Development Lifecycle: Embed security in the SDLC
by performing security reviews throughout the phases – starting
from development to final roll-out.
 Threat Modeling: Threat modeling shall involve identifying
possible security threats and vulnerabilities at the design and
planning stages of a software development project.
 Compliance: Follow all applicable security policies and
regulations to make sure software meets the security provisions
for a particular sector.