How Security Problems Happen

As computers and web-based software have become deeply integrated into our daily lives, so has a consciousness of security issues and the vulnerability of digital information. Even in the past few months, a number of high-profile breaches of computer security have been widely reported.

How do attacks happen? Although specifics vary, a surprising number of security breaches come through the same pathways -- just as a large number of residential burglars enter through the front door.

A new report from the SANS Software Security Institute has just been released analyzing the top security vulnerabilities reported during 2006. The report identifies three main programming errors which were responsible for most breaches. Even non-programmers can learn something from this report.

Error 1: Accepting input from users without validating it. If you sell your car to a dealer, he's probably going to pop the hood and make sure the vehicle contains an engine before he writes you a check. In the same way, a web-based application needs to ensure that any data it receives is safe before it uses it. In a simple case, attackers (usually automated software rather than actual human beings) can manipulate an insecure contact form on your website into sending spam. More serious attacks could result in exposing an entire database of customer information to the world.

What can you do? If you're responsible for having a website or application developed, discuss the security implications with your programmers and be sure they have a good understanding of how to handle these issues.

Errors 2 and 3: Buffer and integer overflows. In plain English, a buffer is a bucket of computer memory that's intended to hold a certain amount of information. If an attacker force-feeds more data than expected into a buffer, he can sometimes manipulate the computer into executing additional code. Similar attacks can be made by forcing the value of an number to become larger than the software is equipped to handle. Most of these kinds of attacks occur on system-level software that the average user has little control over.

What can you do? Immediately apply software patches as soon as they're released. Don't ignore that Windows Update icon that says you have updates to install. Install antivirus software and keep it up to date.

These measures will not make your software invulnerable to attack. Even well-designed programs can fall prey to a determined attacker, just as a well-secured home may be burglarized. But you should still lock the front door.