ScholarQuill logoScholarQuillUniversity Notes
  • Notes
  • Past Papers
  • Blogs
  • Todo
Login
ScholarQuill logoScholarQuillUniversity Notes
Login
NotesPast PapersBlogsTodo
More
SubjectsDiscussionCGPA CalculatorGPA CalculatorStudent PortalCourse Outline
About
About usPrivacy PolicyReportContact
Notes
Past Papers
Blogs
Todo
Analytics
    Current Subject
    🧩
    Information Security
    COMP2120
    Progress0 / 15 topics
    Topics
    1. Information security foundations2. Security design principles3. Security mechanisms4. Symmetric and asymmetric cryptography5. Encryption techniques6. Hash functions and digital signatures7. Key management, authentication and access control8. Software security: Vulnerabilities and protections9. Malware and database security10. Network security: Firewalls and intrusion detection11. Security policies: Formation and enforcement12. Risk assessment in information security13. Cybercrime, law and ethics in information security14. Privacy and anonymity of data15. Practicals of Information security
    COMP2120›Software security: Vulnerabilities and protections
    Information SecurityTopic 8 of 15Regular Notes

    Software security: Vulnerabilities and protections

    3 minread
    512words
    Beginnerlevel

    Software Security, focusing on Vulnerabilities (what can go wrong) and Protections (how to defend against attacks). This is a must-know topic in Information Security, especially if you're interested in cybersecurity or development.

    💻 Software Security: Vulnerabilities and Protections

    🚨 Part 1: Common Software Vulnerabilities

    Vulnerabilities are weaknesses or flaws in software that attackers can exploit to compromise systems, data, or users.

    Here are some of the most common:

    Vulnerability Description Example
    Buffer Overflow Data exceeds buffer boundary and overwrites memory Crashing a program or injecting malicious code
    SQL Injection Injecting malicious SQL queries Bypassing login or accessing unauthorized data
    Cross-Site Scripting (XSS) Injecting malicious scripts into web pages Stealing cookies or user session info
    Cross-Site Request Forgery (CSRF) Forcing users to execute unwanted actions Changing account settings without consent
    Broken Authentication Flaws in login/session management Hijacking user sessions
    Insecure Deserialization Manipulating serialized data Remote code execution
    Security Misconfiguration Incorrect settings, outdated software Admin panels exposed, default passwords left unchanged
    Unvalidated Input Input not properly checked or sanitized Can lead to injection attacks or crashes
    Race Conditions Two operations happen at the same time unexpectedly Bypassing security checks or crashing systems

    🛡️ Part 2: Software Security Protections

    These are techniques, tools, and practices used to protect software from being exploited.

    🧱 1. Secure Coding Practices

    ✅ Write code with security in mind:

    • Validate all inputs (never trust user input)
    • Use proper error handling
    • Avoid hardcoded secrets (like passwords)

    📘 Use secure coding guidelines from:

    • OWASP (Open Web Application Security Project)
    • CERT secure coding standards

    🔐 2. Authentication & Session Security

    • Use strong password policies
    • Implement multi-factor authentication (MFA)
    • Use secure cookies and session timeouts
    • Avoid predictable session tokens

    🧼 3. Input Validation & Output Encoding

    • Validate inputs on both client and server sides
    • Use whitelisting instead of blacklisting
    • Encode output to prevent XSS (e.g., escaping HTML)

    🛑 4. Least Privilege Principle

    • Give users and applications only the permissions they need
    • Avoid running apps with admin/root privileges

    🔒 5. Use Secure Libraries and Frameworks

    • Keep dependencies up to date
    • Avoid using deprecated or insecure functions
    • Use trusted, well-maintained open-source libraries

    🧪 6. Security Testing

    Type Description
    Static Analysis (SAST) Analyze code without executing it (e.g., SonarQube)
    Dynamic Analysis (DAST) Analyze app during runtime (e.g., Burp Suite)
    Penetration Testing Ethical hacking to find vulnerabilities
    Fuzz Testing Inputting random data to detect crashes or bugs

    🧰 7. Tools & Techniques

    • Firewalls and WAFs (Web Application Firewalls)
    • Code obfuscation (to protect source code in compiled apps)
    • ASLR (Address Space Layout Randomization)
    • DEP (Data Execution Prevention)

    ✅ Summary Table:

    Category Vulnerability Example Protection
    Input Handling SQL Injection, XSS Input validation, output encoding
    Authentication Broken login, session hijack MFA, secure session tokens
    Configuration Default settings, exposed APIs Harden servers, remove debug info
    Code Vulnerabilities Buffer overflow, race condition Safe languages, static analysis
    Data Handling Insecure deserialization Sanitize data, safe serialization

    🔄 Real-World Flow:

    1. Developer writes code → 
2. Runs security tests (SAST/DAST) →
3. Fixes issues and follows secure coding →
4. Application is deployed with protections (e.g., WAF, secure configs) →
5. Monitored and maintained regularly
    Previous topic 7
    Key management, authentication and access control
    Next topic 9
    Malware and database security

    Past Papers

    Open this section to load past papers

    Click on Show Past Papers to see past papers.
    On This Page
      Reading Stats
      Est. reading time3 min
      Word count512
      Code examples0
      DifficultyBeginner