Scribd
Upload
4 views1 page

Gray Hat Hacking 48

The document discusses the challenges of software security, highlighting that programmers are often pressured to prioritize functionality over security due to market demands. It emphasizes the complexity of modern software, which increases the likelihood of bugs and vulnerabilities, making it difficult to secure. The author argues that without integrating security into the software development process and holding vendors accountable, the frequency of successful cyberattacks will continue to rise.

Uploaded by

digapo7593
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views1 page

Gray Hat Hacking 48

The document discusses the challenges of software security, highlighting that programmers are often pressured to prioritize functionality over security due to market demands. It emphasizes the complexity of modern software, which increases the likelihood of bugs and vulnerabilities, making it difficult to secure. The author argues that without integrating security into the software development process and holding vendors accountable, the frequency of successful cyberattacks will continue to rise.

Uploaded by

digapo7593
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

20
It is not fair to put all of the blame on the programmers, because they have done
exactly what their employers and market have asked them to: quickly build applica-
tions with tremendous functionality. Only over the last few years has the market started
screaming for functionality and security, and the vendors and programmers are scram-
bling to meet these new requirements and still stay profitable.

Security Does Not Like Complexity


Software, in general, is very complicated, and the more functionality that we try to
shove into applications and operating systems, the more complex software will be-
come. The more complex software gets, the harder it is to predict properly how it will
react in all possible scenarios, which makes it much harder to secure.
Today’s operating systems and applications are increasing in lines of code (LOC).
Windows operating systems have approximately 40 million LOC. Unix and Linux op-
erating systems have much less, usually around 2 million LOC. A common estimate
used in the industry is that there are between 5–50 bugs per 1,000 lines of code. So a
middle of the road estimate would be that Windows 7 has approximately 1,200,000
bugs. (Not a statement of fact; just a guesstimation.)
It is difficult enough to try to logically understand and secure 40 million LOC, but
the complexity does not stop there. The programming industry has evolved from tradi-
tional programming languages to object-oriented languages, which allow for a modu-
lar approach to developing software. This approach has a lot of benefits: reusable
components, faster to market times, decrease in programming time, and easier ways to
troubleshoot and update individual modules within the software. But applications and
operating systems use each other’s components, users download different types of mo-
bile code to extend functionality, DLLs are installed and shared, and instead of applica-
tion-to-operating system communication, today many applications communicate
directly with each other. The operating system cannot control this type of information
flow and provide protection against possible compromises.
If we peek under the covers even further, we see that thousands of protocols are
integrated into the different operating system protocol stacks, which allows for distrib-
uted computing. The operating systems and applications must rely on these protocols
for transmission to another system or application, even if the protocols contain their
own inherent security flaws. Device drivers are developed by different vendors and in-
stalled in the operating system. Many times these drivers are not well developed and
can negatively affect the stability of an operating system. And to get even closer to the
hardware level, injection of malicious code into firmware is an up-and-coming attack
avenue.
So is it all doom and gloom? Yep, for now. Until we understand that a majority of
the successful attacks are carried out because software vendors do not integrate security
into the design and specification phases, our programmers have not been properly
taught how to code securely, vendors are not being held liable for faulty code, and con-
sumers are not willing to pay more for properly developed and tested code, our stagger-
ing hacking and company compromise statistics will only increase.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy