What is a Software Vulnerability?
Understanding software vulnerabilities is fundamental to managing modern security threats. Whether your business depends on software created by third parties, software built by your own developers or a combination of both, the ability to detect and manage software vulnerabilities is absolutely central to keeping software secure and shifting security left.
This article explains what software vulnerabilities are, how they work, and best practices for protecting against them.
What Is a Software Vulnerability?
A software vulnerability is a defect in software that could allow an attacker to gain control of a system.
As we explain in greater detail below, the defects that cause software vulnerabilities can result from flaws in the way the software is designed, problems with the software’s source code, poor management of data or access control settings within the application or any other type of issue that attackers could potentially exploit.
What Can an Attacker Do With a Software Vulnerability?
An attacker can exploit a software vulnerability to steal or manipulate sensitive data, join a system to a botnet, install a backdoor, or plant other types of malware. In addition, after penetrating into one network host, the attacker could use that host to break into other hosts on the same network.
The specific exploits that an attacker can execute vary from one vulnerability to the next. Not all vulnerabilities allow attackers to cause the same types of harm, and not all vulnerabilities create equally severe risks.
However, all vulnerabilities pose at least some level of risk to the applications they impact, as well as the environments that host those applications and any resources that integrate with the applications.
How Are Vulnerabilities Exploited?
To take advantage of a vulnerability, an attacker must first discover the vulnerability. Attackers can do this in a variety of ways. But to provide an example, one common technique for finding vulnerabilities is to run port scanning software, like the open source tool nmap, which can collect information about which services are running on a server or computer, and even which specific operating system is installed. With that information, the attacker can determine whether the services or operating system are subject to any known vulnerabilities.
Then, the attacker must devise a method for exploiting the vulnerability. Here again, exploit methods vary widely, but they may involve techniques like injecting malicious code into an application or bypassing access controls. Some vulnerabilities can be exploited remotely, meaning that attackers can take advantage of the security weakness over the network. Others require direct physical access to the infrastructure that hosts the vulnerable software.
If the exploit is successful, the attacker will gain the ability to perform malicious actions within the compromised application or its host system. Depending on the nature of the vulnerability, these actions could include activity like exfiltrating sensitive data, running malicious commands, planting malware or disrupting critical services in order to cause problems for the business.
What Causes Software Vulnerabilities?
As noted above, there are many potential causes for a software vulnerability. Some applications are vulnerable due to overall design flaws, such as an architecture that involves moving sensitive data over unsecured networks. In other cases, vulnerabilities result from specific coding errors that introduce vulnerabilities such as the following:
- Buffer overflows: These allow someone to put more data into an input field than what the field is supposed to allow. An attacker can take advantage of this by placing malicious commands into the overflow portion of the data field, which would then execute.
- SQL Injection: This could allow an attacker to inject malicious commands into the database of a web application. The attacker can do this by entering specially-crafted Structured Query Language commands into either a data field of a web application form, or into the URL of the web application. If the attack is successful, the unauthorized and unauthenticated attacker would be able to retrieve or manipulate data from the database.
- Third-party libraries: Many programmers use third-party code libraries, rather than try to write all software from scratch. This can be a real time-saver, but it can also be dangerous if the library has any vulnerabilities. Before using any of these libraries, developers need to verify that they don’t have vulnerabilities.
- Application Programming Interfaces: An API, which allows software programs to communicate with each other, could also introduce a software vulnerability. Many APIs are not set up with strict security policies, which could allow an unauthenticated attacker to gain entry into a system.
Adhering to best practices when designing applications and writing code are effective methods for reducing the risk of vulnerabilities. Tools like Software Composition Analysis scanners can also help to identify some of the flaws that trigger vulnerabilities. Furthermore, practices like shift-left security, which help developers to prioritize security early-on in the software delivery lifecycle (SDLC), are useful for minimizing the risk of introducing vulnerabilities into source code.
Nonetheless, given the complexity of most applications, it’s virtually impossible to guarantee that the issues that cause vulnerabilities are not present within an application. You should therefore never assume an application is vulnerability-free. You should take steps to detect and respond to vulnerabilities, no matter how much confidence you have that your software was developed securely.
Software Vulnerabilities and Open Source Software
Software vulnerabilities can affect both proprietary software (meaning software whose source code is available only to the business that develops it) and open source software (whose source code is available to the public at large).
However, vulnerabilities that impact open source software pose extra risk in certain respects. One main reason is that because anyone can view open source code, it’s easier in some cases for attackers to identify flaws within open source that they can exploit. Proprietary software isn’t subject to this risk, since in most cases attackers can’t view the source code (although they can deploy other techniques in an effort to detect vulnerabilities).
The other main reason is that because open source software can typically be freely reused, businesses routinely rely on open source. They may deploy open source applications wholesale, and they may also copy parts of an open source codebase into their own application or include open source libraries as dependencies for their applications. When they do this, they create the risk that vulnerabilities that affect the open source code could impact their business.
This doesn’t mean you shouldn’t use open source software, which offers a variety of advantages in many cases. But it does mean that it’s critical to know which open source code your business depends on and whether any vulnerabilities affect that code.
How to Handle Software Vulnerabilities: Vulnerability Scanning and Beyond
The best way to deal with a software vulnerability is to prevent it from happening in the first place. Software developers need to learn secure coding practices, and automatic security testing must be built into the entire software development process.
But again, it’s impossible to guarantee that the code your business depends on is not subject to vulnerabilities. For that reason, it’s important to leverage vulnerability scanning. Vulnerability scanning is the process of automatically scanning application source code and/or binaries for known vulnerabilities. If scanners detect an application component that is known to be vulnerable, they alert developers so that they can fix the issue.
Vulnerability scanners don’t always detect every potential vulnerability; in particular, they may not be able to catch vulnerabilities that have not yet been publicly identified or disclosed. But they do protect against the vast majority of vulnerabilities.
Once you’ve detected vulnerabilities, you should assess how severe each one is. Depending on the amount of harm each vulnerability can cause and how easy it is to exploit, the vulnerability may be more or less severe than other vulnerabilities, so you should determine which ones to prioritize.
Finally, formulate and execute a plan for mitigating the vulnerability. The mitigation process will vary depending on the nature of the vulnerability, but in many cases, fixing the vulnerability involves either updating source code, applying a patch or updating to a newer version of the vulnerable application component. Alternatively, if no fix is available and you can’t implement it yourself, you can take steps to prevent the vulnerability from being exploited by, for example, updating the application’s configuration such that the conditions required for exploitation are not present.