Tedext

Software Vulnerabilities - Vulnerabilities major disruption to a business

INFA 670

Assignment on Software Vulnerability

Software vulnerabilities, especially vulnerabilities in code, are a major security problem today. Not all bug or flaws in software become security vulnerabilities, but some of them do.

An attacker can exploit these vulnerabilities to cause major disruption to a business.  An exploit can result in a variety of damages including crash of a system, taking the role of a super user, deleting of information in a file or an entire file, changing critical content in a database or a file, stealing valuable proprietary information, planting of  malware, turning a system into a bot so to launch attacks on other systems.

Common software code vulnerabilities include:

·         Buffer overflow

·         Logic error or logic bombs

·         Race conditions

·         Format string vulnerability

·         Cross-site scripting

·         Cross-site request forgery

·         SQL and other command  injection

·         Memory leak

·         Incomplete mediation

·         Integer overflow, underflow, and sign conversion errors

·         Insufficient data validation

The name of vulnerability and the name of an attack that exploits it are often called by the same name. For example, the attack that exploits the buffer overflow vulnerability is known as the buffer overflow attack. Similarly, a race-condition attack leverages a race condition vulnerability.

An attacker can and have exploited more than one vulnerability in the same attack to cause more damage than would be possible with a single vulnerability.

Two organizations focus on improving software security and thus track the various vulnerabilities on a continual basis. They are (1) Common Weakness Enumeration (CWE) by SANS/Mitre https://cwe.mitre.org/index.html), and  (2) The Open Web Application Security Project  (OWASP) (see https://www.owasp.org/index.php/About_OWASP ).  I am attaching two documents here, CWE Top 25 and OWASP Top 10. Please note the vulnerabilities or the type of vulnerabilities are not the same in these two lists. This is because, OWASP’s focuses only on web applications.    Also, the two lists are also not exactly the same as the above bulleted list. They do, however, overlap.

In this exercise, you will investigate two vulnerabilities of your choice from these two lists or any other reputable source. For each of the two vulnerabilities you have chosen, you will explain the vulnerability including where it occurs (e.g., C language, database, web browser, etc.) and an example attack that exploited it. You will also describe how the vulnerability can be minimized, prevented or mitigated. 

All the description should be in your own words. You may use code excerpt to illustrate the vulnerability or remove the flaw that is the source of the vulnerability.

Your report should not be more than two pages long (double-spaced) for each vulnerability. You need to consult at least two references for each vulnerability.

The assignment will be graded using the following rubric:

·         Description of the Vulnerability: 50%

·         Mitigation/Prevention Techniques: 30%

·         Bibliography: 10%

·         Grammar/English: 10%

OWASP Top 10 - 2013.pdf

2011_cwe_sans_top25.pdf

Software Vulnerabilities - Vulnerabilities major disruption to a business

  • Order

  • Payment

  • Processing

  • Delivery

Validation error occured. Please enter the fields and submit it again.
Thank You ! Your email has been delivered.