Vulnerability is one of the common problems of software industry. There are high raise in Cyber attacks , today we’ll learn about the them. In terms of Software development we define it as Vulnerabilities.
None of the software if prefect in terms of security. Your software uses many jars files , a lots of codes we can try our best to make but some where we miss or uses some some jars which have certain piece of code where attackers can gain access. It might be any things Issue with java scripts where we might have shown critical info like password , account no or any other which is enough for attackers to gain access.
the other example is if you ae using any third party jars and it might have some code which directly exposing or leaking data on UI console or in logs. The jars which you are using today is secure but over the period of time jar gets old and attacker find the way to exploit it and gain access on your software.
Top Vulnerabilities of 2023–
- JsonWebToken (CVE-2022-23529).
- ChatGPT (CVE-2023-28858).
- Apache Superset (CVE-2023-27524).
- PaperCut NG/MF (CVE-2023-27350).
- Fortinet FortiOS (CVE-2022-41328).
- Adobe ColdFusion (CVE-2023-26360).
- MOVEit vulnerability (CVE-2023-34362).
Another example is once you develop you application or API , Unwillingly you might expose such attributes which are critical and not secured enough from you code.
Categories of vulnerabilities –
- System Misconfigurations.
- Out-of-date or Unpatched Software.
- Missing or Weak Authorization Credentials.
- Malicious Insider Threats.
- Missing or Poor Data Encryption.
- Zero-day Vulnerabilities.
System Misconfigurations – As we are increasing in developing new technologies we are missing out out secure network configurations. Network connections are the most frequent security brakeage. Most of the Cyber crimes happens through unsecure network connections. So while developing application we should consider the secure connections always with reviewing with Cyber security experts.
Out-of-date or Unpatched Software – Like i mentioned above about jars. Once you used the jars and after certain period of time it get old and by that time Cyber attackers finds the way to exploits it and gain the access of you software’s.
Missing or Weak Authorization Credentials – The is simplest ways to make cyber crime. You kept your password simple so that you can remember it but this simple passwords are easy accessible for the cyber attackers. That is the reason most of the sites ask to keep a password which have special char, number etc. Keep you password as much as complex and can be remembered.
Malicious Insider Threats – Sometimes the employee who have access the internal systems share some data which are highly secured. After these data can by anything like network information, secure IP connections or etc. can cause the cyber attack.
Missing or Poor Data Encryption – Encryption is one of the layer of security on you data which is shared or transmitted over the network. There are a lot of ways to encrypt your data which can be used. For example – Once you login in your Banking app after you enter Username and password you get the screen where you all the detail like balance , address etc. these data are stored somewhere on Banking side but once you enter details they use to transfer your all the data from their server to your mobile or where you logged in. so while sending the data they should use secured encryption way to protect your users data.
Zero-day Vulnerabilities – These are Vulnerabilities which are not known by the software development teams but cyber attackers have identified and able to inject malicious code in your application.
Life Cycle of Vulnerabilities
In this section we’ll know about how we detect , identify the type , fixing it and migrating the vulnerability.
1- Detection of Vulnerability
Detection of Vulnerability can be done with multiple methods
- Scanning :- Once you develop you software you can use some of the already available tools like – SolarWinds Network Configuration Manager (NCM), Manage Engine Vulnerability Manager Plus, Rapid7 Nexpose, TripWire IP 360, and others are some common vulnerability detection solutions. These tools are helpful to identify the vulnerability.
- Penetration Testing :- Most of the software companies have their penetration testing team. This testing can be manual or automated. They will take your software and run their automated testing script. Once testing is completed they use to generate a report which have all the vulnerabilities listed. Now developer need to go through it and fix each.
- Google Hacking : – Is also known as Google dorking and it’s used to collection the information by attackers. it uses a search engine to identify the vulnerabilities.
- Review while writing code :- This not a technique rather than a good software lifecycle development approach. While developing software’s you can get your code reviewed by senior members of the team and they can help to identify the vulnerability and you can fix it wile development phase of software itself.
2- Prioritize your Vulnerability :-
Once you identified your Vulnerability this is the next step where you need to define the level of risk , there might be the changes you find a lot of vulnerabilities based on the criticality of each you can prioritize and fix the critical one first and so on.
3- Fixing/ Addressing Vulnerability :-
Once you identified and prioritize the vulnerability now you need to fix this. There are different ways you can address them, let’s discuss about it –
- Remediation – This is one of the common and most adoptable technique which is used by development teams. It means the vulnerability is completely fixed and released as the patch as part of fix.
- Mitigation – This is a technique of borrowing time until the reliable fix is not found.
- Acceptance – The Vulnerabilities which have minimal impact those vulnerabilities are acceptable by organization since it have very minimal impact. Organization categories the vulnerabilities like – Critical, High , Medium , low , no impact.
At the end of 2021 we got an critical vulnerability which was impacting almost all the organizations all over the world.it was CVE-2021-44228 — Vulnerability in Apache Log4j Library.