ABSTRACT
Software vulnerabilities play an important role in two complementary research areas: software security and application security. In his book Software Security: Building Security In,[6] McGraw defines software security as “the idea of engineering software so that it continues to function correctly under an attack.” In the same book he states that application security “involves the protection of software after it has been already built”meaning that efforts to secure an application are made after the development is finished. However, others claim that application security can also encompass measures taken throughout the code’s life cycle to eliminate software vulnerabilities.[7] Both areas are relatively new, and relevant publications and books first appeared in the early 2000s.[6,8] Before this, computer security was mainly associated with network security, operating systems security, and viral software. This entry is based on the following roadmap: In the section “Vulnerable Software,” we discuss the causes of the development of vulnerable software because it is important to understand why and how insecure software is developed. Then, in the section “The Evolution of Software Vulnerabilities,” we argue that securing software is an ongoing issue because so far in the literature, there are no findings that indicate that software vulnerabilities decrease as projects evolve. In the section “Critical Attacks Stemming from Software Vulnerabilities,” we present some critical attacks stemming from vulnerable software. Interestingly, such attacks have been topping the vulnerability lists of numerous security bulletin providers for several years. The section “Software System Hardening” provides some basic methods and tools that can be used by developers to: a) eliminate the vulnerabilities that the system contains during the development process and b) guard the system against application attacks while it is in production mode. Then, in the section “Criteria for Selecting Security Methods and Tools,”we enumerate a number of critical requirements that developers must consider before using security mechanisms and countermeasures. Finally, in the section “Emerging Challenges,” we
provide some emerging challenges in securing software, and in “Conclusions,” we draw some key conclusions.
