O'Reilly logo

Core Software Security by Anmol Misra, James Ransome

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

xix
Preface
The age of the software-driven machine has taken significant leaps over
the last few years. Human tasks such as those of fighter pilots, stock-
exchange floor traders, surgeons, industrial production and power-plant
operators that are critical to the operation of weapons systems, medical
systems, and key elements of our national infrastructure, have been, or
are rapidly being taken over by software. This is a revolutionary step
in the machine whose brain and nervous system is now controlled by
software-driven programs taking the place of complex nonrepetitive tasks
that formerly required the use of the human mind. This has resulted in
a paradigm shift in the way the state, military, criminals, activists, and
other adversaries can attempt to destroy, modify, or influence countries,
infrastructures, societies, and cultures. This is true even for corpora-
tions, as we have seen increasing cases of cyber corporate espionage over
the years. The previous use of large armies, expensive and devastating
weapons systems and platforms, armed robberies, the physical stealing of
information, violent protests, and armed insurrection are quickly being
replaced by what is called cyber warfare, crime, and activism.
In the end, the cyber approach may have just as profound affects as the
techniques used before in that the potential exploit of software vulner-
abilities could result in:
Entire or partial infrastructures taken down, including power
grids, nuclear power plants, communication media, and emergency
response systems
Chemical plants modified to create large-yield explosions and/or
highly toxic clouds
xx Core Software Security
Remote control, modification, or disablement of critical weapon sys-
tems or platforms
Disablement or modification of surveillance systems
Criminal financial exploitation and blackmail
Manipulation of financial markets and investments
Murder or harm to humans through the modification of medical
support systems or devices, surgery schedules, or pharmaceutical
prescriptions
Political insurrection and special-interest influence through the
modification of voting software, blackmail, or brand degradation
though website defacement or underlying Web application take-
down or destruction
A side effect of the cyber approach is that it has given us the abil-
ity to do the above at a scale, distance, and degree of anonymity pre-
viously unthought of from jurisdictionally protected locations through
remote exploitation and attacks. This gives government, criminal groups,
and activists abilities to proxy prime perpetuators to avoid responsibility,
detection, and political fallout.
Although there is much publicity regarding network security, the real
Achilles heel is the (insecure) software which provides the potential ability
for total control and/or modification of a target as described above. The
criticality of software security as we move quickly toward this new age of
tasks previously relegated to the human mind being replaced by software-
driven machines cannot be underestimated. It is for this reason that we
have written this book. In contrast, and for the foreseeable future, soft-
ware programs are and will be written by humans. This also means that
new software will keep building on legacy code or software that was writ-
ten prior to security being taken seriously, or before sophisticated attacks
became prevalent. As long as humans write the programs, the key to suc-
cessful security for these programs is in making the software development
program process more efficient and effective. Although the approach of
this book includes people, process, and technology approaches to soft-
ware security, we believe the people element of software security is still
the most important part to manage as long as software is developed, man-
aged, and exploited by humans. What follows is a step-by-step process for
software security that is relevant to todays technical, operational, busi-
ness, and development environments, with a focus on what humans can

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required