Rugged is ….knowing that ALL software (programs, applications, operating systems) has bugs or vulnerabilities. Software is the method by which people interact with data so secure software is critical to protecting data.
Since the beginning of computer program writing, there has been an average of one “bug” per 10,000 lines of programming code. All operating systems (Windows, Mac System X, Unix, AIX, Linux (Ubuntu, RedHat, Slax, Debian etc), iPhone, Android, have from hundreds of thousands to millions of lines of programming code. So ALL OPERATING SYSTEMS have software bugs or flaws or vulnerabilities that, when discovered, require updates and patches. As consumers we should be complaining to companies to better test their software for vulnerabilities before releasing it for commercial sale. As business owners we need to insist that developers working for us write secure code. It is cheaper to write secure code initially than to have to go back and write patches or correct programming code. But that has to be planned early, up front, before a project is initiated. The cost of fixing bugs in code once it is in production (thanks to “Xxyyz” for the link) can be many times that of fixing it early in the development cycle, but only consumer pressure will motivate companies to write more secure programs.
A program is written to make use of data. A major concern for a responsible professional programmer is to make sure the data used by a program he or she writes, is not susceptible to data compromise. Writing secure code should be a badge of honor with every software developer and they should insist that their code is run through vulnerability checkers to verify it is secure. This hasn’t been taught in most colleges so securing code is a skill and attitude those currently in the workforce must develop themselves. The Open Web Application Security Project is a worldwide non-profit organization focused on improving the security of application software and is a superb free resource to all program developers. (This Cyber Rugged website was created in cooperation with Rugged Software which was started by several involved with OWASP.) The OWASP Top Ten Project provides a powerful awareness document for web application security developers which every programmer in the world should know about and every business manager should insist that programmers use.
Databases are at the nexus of many of the attacks the last few weeks by “lulzec”. How is our database security? 100% of Tested IRS Databases are Vulnerable to Hackers according to the Department of Treasury Inspector General. Different teams manage different parts of the processes for securing databases. There are no industry accepted database security processes or requirements, and securing a database is not as straight forward as protecting a network or endpoint. This is a link to an 80 page document that contains 6 major phases and 21 subprocesses and dozens of operational metrics that can be used to evaluate database security. Executive Summary and Building A Database Security Program
Web programmers need to be particularly cognizant of how their code handles cookies. Cookies contain session information which when mined can provide information on authentication mechanisms. For browser users, keeping a browser session open may permit unscrupulous people to “mine” the session authentication credentials for an e.g. online banking transaction. “Cookiejacking” exploit is explained in this article.
Script Compilers — Interpreters
With the advent of Web 2.0 in the late 1990’s, major application developers began including reduced function compilers that read scripts (called interpreters) into many applications. Windows Explorer (the Windows interface) has an interpreter in it, Windows Internet Explorer (the browser) has an interpreter built into it, Firefox, Chrome, Safari and other browsers all have interpreters built into them. Microsoft Office, OpenOffice, Adobe Reader, and many other programs all have script interpreters built into them.
Any program that reads (interprets) HTML or allows you to enter data into it, or allows creation of macros very likely has an interpreter built into it. Interpreters can read simple English text and see it as command syntax to perform actions (even if a command wasn’t the intent of the text writer). This means that anyone on the Internet can write an email with commands in the text, send it to everyone and the application (browser or email client) that email is read in will execute the text in that email. This is one of the reasons email and web browsers are the most serious attack surfaces for Internet exploits.
Language of the Web — HTTP and XML
Tim Berners-Lee invented a plain text language called Hyper Text Markup Language to make it as simple as possible to display web pages graphically instead of in the simple command line text that the Internet used previous to the World Wide Web Consortium (WC3) establishing the World Wide Web. The WC3 then created a straightforward language to be used over the Internet called Extensible Markup Language to provide a method for formatting data so that data written in it could be read by many applications. XML applies context to the data and separates data content from data presentation which uses HTML. XML is critical for computer systems and different platforms to be able to easily exchange data among themselves.
On the horizon —
Hyper Text Markup Language HTML 5 (Wikipedia) HTML 5 is the latest improvement which aims to support the latest multimedia capabilities while keeping the language itself readable by humans, but consistently understood by computers, parsers, browsers etc.. It adds new syntax that incorporates video, audio, canvas, and other features that will make it able to handle multimedia and graphical content without proprietary plugins and APIs.