Should Developers be Blamed for Software Vulnerabilities?
Date: 17 November 2021
It is a well-known fact that developers are responsible for creating and releasing new applications and platforms. They are also responsible for debugging software and, when necessary, creating patches to deal with vulnerabilities as they arise.
This blog highlights the reasons why developers may, then, bear the burden of software vulnerabilities.
At a glance, here's what this blog covers:
Often, developers operate under very tight deadlines. As a result, the pressure to perform can force them to neglect security measures. Although developers try to adhere to best practices to avoid functional bugs, they may lack time to thoroughly test their applications.
Hence, developers may opt to use security updates or patches to address security issues later on. Such thinking makes organisations vulnerable to cyber-attacks until developers deploy the security patch. The fact is that each code contains bugs; however, decisions by management during the development lifecycle can increase the severity of developer errors.
Often, developers do not embrace secure coding from the onset as a foundational element. They choose to include it later on or, in the worst-case scenario, neglect it completely. In addition, if developers do not follow a defined process for using open-source libraries, it may result in untracked vulnerabilities.
Fortunately, open-source static code analysis prevents 50% of the issues that often slip during production. Instead of dealing with fires arising from bad code, the best approach entails incorporating quality assurance. The approach enforces coding standards early in the development cycle.
Data Processing Flaws
According to MITRE, the number one software vulnerability is buffer overflow. The vulnerability arises once a memory buffer is set to receive more data than it can support. During software execution, the program writes data outside the memory block. This makes it possible to carry out read or write operations beyond the buffer limits.
Because of buffer overflow, it is fairly easy for unauthorized users to exploit this vulnerability. It allows them to read sensitive data, change the control flow of the program or execute malicious code.
Developers use queries and commands to ensure components communicate. If they fail to encode these messages, hackers can capitalize on such vulnerability to interfere with the application. Through SQL injection or XSS, hackers can use special characters that the application can interpret as control information.
As a result, developers may have to take the blame for coding errors that allow some software components to accept malicious commands and carry out wrong operations.
Also, improper handling of sensitive details can result in unintentional or intentional information disclosure to unauthorized users. The vulnerability arises from the failure to encrypt sensitive data, password hashing, weak key generation, and poorly set security incident response system. These vulnerabilities can also be handled better if the staff is given proper Cyber Incident Planning & Response training and the organisation develops a solid cyber-attack response plan using a lucid Cyber Incident Response Plan template.
Let’s face it: Improper handling of sensitive information and poorly trained staff are some of the primary enablers for allowing hackers to steal identities, commit fraud, and perform cyber-attacks.
Security and Access Control Weaknesses
The second most likely reason developers can be blamed for vulnerability is because of security and access control weaknesses. Some of the common access control vulnerabilities include:
- Security misconfiguration
- Weak credential management
- Improper access control
- Privilege and cryptographic issues
At the core of this vulnerability are incorrect security configurations and component access controls. Usually, software components have default security settings. Developers fail to adjust access controls to meet custom security terms.
Additionally, developers fail to adhere to the principle of least privilege. This principle dictates that a process or a user should only be given the privileges necessary to perform their tasks.
It results in applications that lack the necessary security features such as proper authorization and authentication. This leaves user accounts susceptible to cyber-attacks. When an attacker capitalizes on the coding errors of a developer, they can compromise password security, get control of the system as well as the devices and subject the victim computers to ransomware attacks.
Resource Management Flaws
Developers can cause improper system resource allocation or consumption. The vulnerability occurs within a system with limited file storage, CPU capacity, or system memory. The vulnerability is a result of:
- Crucial system resources not being under the control of the system
- Failure to release crucial system resources after the end of software effective lifetime
- Referencing crucial system resources after being previously freed.
The faulty conditions arise from confusion about which component controls which resource. It creates a vulnerability in the system that provides hackers an easy target. The attacks can come in different ways, such as denial-of-service (DoS), executing malicious code, or crashing a program.
Business Logic Flaws
If developers give access permissions to more users than necessary, it poses a serious security risk. Usually, this vulnerability manifests during the implementation stage. For instance, developers may avoid setting permissions to prevent complications in the initial running of the application.
It makes operating the software during installation easier for the user with the view that permission parameters will be set later on. Sometimes, this important step never happens since the users fail to read the documentation carefully.
If system administrators or users fail to change these permissions, they make the entire system vulnerable to attacks. Business logic in software is responsible for ways of creating, modifying, and storing data. Thus, vulnerabilities in this domain make a system prone to attacks.
Another reason developers may bear the brunt of software vulnerabilities is cross-site request forgery. This composite software weakness entails erroneous conditions such as:
- Origin validation error
- Insufficient session expiration
- External control of crucial data
- Confused deputy
The coding mistakes can overlap, creating a web application that is unable to establish if an incoming server request is intentional or not. It is easy for hackers to detect and exploit such coding errors in applications. Hackers trick the system into sending unintentional false requests to the server that will eventually be treated as valid requests.
An XML document houses external entity references for online applications. An attacker can provide a substitute string such as a file URL rather than the document type definition (DTD) that defines an XML entity.
This way, the attacker can read contents in a local file. Thus, if developers weakly configure an XML parser, they can cause software vulnerability that processes XML documents with an external entity reference.