Software Security Concerns 🔐

Thilini Weerasinghe
7 min readMay 22, 2021

--

Source: https://www.csoonline.com/

In this article we are going to discuss about both software and application security concerns….

👉 Software Security

Software security considered as the pre-deployment security ensuring activities. Because these are the security concerns that try to ensure in the development phase to avoid from the data loss and hijacked. Here are some example for software security activities.

  • User authentication
  • Secure coding that follows standards and guidelines
  • Secure software design
  • Function level access control
  • Third-party component validation
  • Cryptography
  • User input validation

👉 Application Security

Application security can be considered as post-deployment security concern activities as they try to ensure the continuity of the software application after the deployment. Here are some activities that coming under the application security activities.

  • IP filtering
  • Patch/ upgrade
  • Detection of malicious code
  • Post deployment security tests
  • Real-time monitoring

Technical and Non-Technical hacking

Software system has security threats from both technical and non-technical hacking incidents. Both of them can give huge impact to the our systems and can lead to the huge loss for the organizations. Sometimes avoiding from technical hacking is easier than avoiding from non-technical hacking as there are not any standard way to do the non-technical hacking.

Technical hacking

In technical hacking, hackers use technology-based approaches to spread malwares or stole personal data as presenting as the real application systems. In such situations what it does is, launching a threatful web application which contains all the basic features of original websites to represent as the real application and then get the users or organizational data or emails to get access to the organizational network and spread the malware or stole information for their personal benefits. DNS spoofing, MIM attacks, ARP poisoning and sending virus to the network are some technical hacking techniques.

Non-technical hacking

In non-technical hacking, attacks are based on deception of human weakness. It take advantage of lack of IT/Information security knowledge of the people and some times they use social engineering techniques to launch non-technical hacking approach. Lack of security knowledge means some people use same password for their social media accounts and business applications. Therefore, though the business system has high security to detect hacking situations, attackers can stole confidential information from the social media and use them for accessing the organizational network too. Not only that but also think if someone give his/her Gmail password for one of friend as “12345@gm” then the friend has good general knowledge and he thinks that gm stands for gmail and then try “12345@fb” as the password for the facebook and access his/her social media. In here it hasn’t use any technical method to access the social media sites. Social engineering plays major role in non-technical hacking.

Social Engineering

Social engineering is a psychological manipulation techniques that use tricks to get sensitive information or identify security mistakes via the human interactions. It’s can be happened in either one step or more steps. If the hacker has the login details it attacks in one steps. Otherwise they have to gone for a set of activities. First phase is preparing the ground for attacks. It has three steps including identifying the victims, collecting the background information and selecting the methods for attack. Next phase is launching the attacks for the target system. Following figure shows the four phases in social engineering.

Social Engineering Life Cycle (source: https://www.imperva.com/)

As an example think you wants to know the answers for the security questions to get the access for the system. The thigs that you can do is build a relationship with the person and know about him. Sometimes you can go for a Café and have a friendly talk while drinking a coffee and can get information about themselves and their likes and dislikes. So it is a kind of simple method for social engineering.

Social Engineering Attack Techniques👇

✏️ Pretexting: It is a technique that attacker establishing close relationship among the victims and its co-workers. Then he ask questions and gather personal data that are necessary to confirms the victim’s identity

✏️Phishing: It is most famous social engineering attack technique. What it does is, it sends links through the emails or text messages mentioning urgent situation and then after clicking that link it directs to the malicious website and it may consists of malware. Otherwise they pretend as original website and gather sensitive data from the users.

✏️Baiting: As it reveals in the name, it traps the users and steals their sensitive and personal details send malware to the systems. It basically use physical devices or online forms to spread the malware. As an example attackers can malware infected-flash drive in the car park and label as company payroll list. Then the some employee took that flash drive and insert it into its personal or office machine and then the malware is spread across the network.

✏️ Scareware: It is a techniques that victims being bombarded with false alarms and fictitious threats. Then the victims thought that their systems was infected and try to install another software that suggested by the attackers which contains malware or no benefits for installing. As an example while you are surfing the web, sometimes it gives notice that your computer was infected and warn you to install malware contains tools and at that time your computer becomes infected.

How to avoid that security threats

To avoid from the social engineering attacks, what we can do is use multifactor authentication to verify your login information, always be aware of suspicious situations and don’t open any emails or links which is not coming from trusted party, keep the antivirus software in up to date and always be wary of tempting offers. Always ask from knowledgeable person or search in google to get information about actual offers and trap.

➡️ Encryption

It is a security ensuring method that hides the actual meaning of the message/information by converting original information with secret code. The art of doing encryption and decryption is known as the cryptography. Original information is known as the plaintext and it becomes ciphertext after the encryption process. encode or decode formula is known as the cipher or encryption algorithm. It has major two categories called symmetric and asymmetric encryption.

🔑Symmetric encryption

source:https://www.cheapsslshop.com/

In symmetric encryption id encrypt and decrypt message using a shared key. To keep the security this shared key must be shared in secure manner. Therefore we can use Block Cipher or Stream Cipher techniques to enable secure symmetric encryption. But sometimes someone can intercept in sharing the key and it is also a problem and then the asymmetric encryption was introduced.

🔑Asymmetric Encryption

Source: https://www.cheapsslshop.com/

In asymmetric encryption it uses different keys to encrypt and decrypt the message. Both senders and receivers has two key pairs called public and private key. The asymmetric encryption process is happened when the sender encrypt the message using its public key and receiver decrypt the message using its private key. Private key are not sharing with others and then the particular receiver only can decrypt the message and get the information.

➡️ Hashing

Hashing password (source:https://www.passmoz.com/where-windows-password-stored.html)

In hashing it doesn’t use any key for the encryption. It uses hashing algorithm to generate a number called hash value or checksum. Then this hash value is used to verify whether some modifications is happened in transferring the message or not. So it allows for the data integrity. The important thing is that no matter how log or how many times that you perform hash algorithm in particular message, the hashing value remain same as the first one. It generates an unique value for the every file and there cannot be two file which contains same hashing value. If is happened it is known as collision of that hashing algorithm. SHA, RIPEMD, WHIRLPOOL and TIGER are some of example for the hashing algorithms.

➡️ Salting

Password Hash Salting (source:https://www.wordfence.com/learn/how-passwords-work-and-cracking-passwords/)

Salting is a extended version of hashing techniques. What is does is before going for the hashing process it go for a salting process(adding a random generated text for the original password )to increase the security by strengthen the general process. This salting text is also unique for one password to another password and it is random generated and stored as plain text.

If you need to know about this process in detail click here.

Summary

Security is the most important facts that should be ensure before and after the software development process. Attackers can use technical and non-technical hacking techniques to send malware and steal the information from the software system. There for all the internet users should have knowledge about this hacking technology. This article explains these concepts in detail. Social engineering is most powerful non-technical hacking techniques and difficult to detect them. To overcome these issues users should be aware of the threat issues and prevention method and encryption, hashing and salting are some technical prevention techniques that used in developing the software architecture.

Stay Safe & Learn New Things!!! 😃 📖

--

--

Thilini Weerasinghe
Thilini Weerasinghe

Written by Thilini Weerasinghe

Currently working as an Associate Software Engineer at Virtusa. Has completed degree in B.Sc (Hons) Computing & Information Systems. After all I am a Human...

No responses yet