Secure software development entails the utilization of several processes, including the implementation of a Security Development Lifecycle (SDL) and secure coding itself.
Considering all the successful cyber-attacks that take advantage of software vulnerabilities, it’s become essential for organizations to purchase and use only the safest software, while implementing secure software development modalities.
For most organizations, a major step toward secure software development is awareness. For example, it’s important to know that one of the most common attacks on software is called buffer overflow.
A buffer overflow occurs when more data is written to a buffer than it can hold. The excess data is written to the adjacent memory, overwriting the contents of that location and causing unpredictable results in a program. Buffer overflows happen when there is improper validation.
It is considered a bug or weakness in the software.
Cyber criminals exploit a buffer overflow bug by injecting code that is specifically tailored to cause buffer overflow with the initial part of a data set, then writing the rest of the data to the memory address adjacent to the overflowing buffer. The overflow data might contain executable code that allows the attackers to run bigger and more sophisticated programs or grant themselves access to the system.
Buffer overflows are one of the worst bugs that can be exploited by an attacker mostly because it is very hard to find and fix, especially if the software consists of millions of lines of code.
Best prevention to buffer overflow is to pay special attention to where buffers are used, modified and accessed. Of particular note would be functions dealing with input supplied by a user or other outside source, as these would provide the easiest vector for exploitation of the overflow.
For example, when asking a user a yes or no question, it seems feasible to store the user’s string input in a small buffer—only large enough for the string “yes.”
Want to learn more? Tonex offers Secure Software Development Training, a 3-day hands-on course where participants learn techniques and guidelines for developing secure software.
Best industry practices are discussed to prevent security vulnerabilities in web-based, mobile, common business applications, enterprise, defense and embedded software systems. Secure Software Development Training course contains a mix of lecture, case studies, workshops and hands-on exercises that emphasize secure application and software development.
For more information, questions, comments, contact us.