Programs as they are written today have many software vulnerabilities that programmers have become increasingly aware of over the past 20 years. Most attacks are carried out by exploiting these vulnerabilities rather than overcoming or bypassing access controls.
A buffer is similar to an array, but without the imposed length. When a programmer writes to a buffer, it is possible to unknowingly overwrite its length. This vulnerability is a buffer overflow.
Software today has defects with security ramifications, including implementation errors such as buffer overflows and design flaws such as inconsistent error handling. These are vulnerabilities.
You may have heard of computer language cheats, such as PHP cheats, Perl cheats, and C++ cheats. These are vulnerabilities.
Software defense, as opposed to security software, overcomes these vulnerabilities by writing defensive code where the vulnerabilities would be prevented. During the use of the program, as more and more vulnerabilities are discovered, developers (programmers) should look for ways to re-code the vulnerabilities, defensively.
The threat, a denial of service attack, cannot be stopped by access control, because in order for a criminal to do so, he must have access to the host (server). It can be stopped by adding some back-end software that monitors what users are doing on the host.
Software security is a robust design from the inside out, making it difficult for software attacks to occur. Software should be self-protecting and, at a minimum, have no vulnerabilities. This makes managing a secure network easier and more cost-effective.
Software protection is the development of protective code within the program, while security software applies (designs) access control. Sometimes these two issues overlap, but often they do not.
Software security is already quite advanced, although it is still evolving, but not as advanced as security software. Bad hackers achieve their goals more by exploiting software vulnerabilities than by overcoming or bypassing security software. Hopefully, in the future, information security will be more about software protection than security software. For now, both software and security software must work.
Software protection will not be really effective if thorough testing is not done at the end of software development.
Programmers need to be educated in programming security code. Users also need to be trained on how to use security programs.
In the area of software security, the developer must ensure that the user does not receive more privileges than he deserves.
Software defense is the development of applications with protective coding against vulnerabilities that makes it difficult for software attacks to occur. Security software, on the other hand, is the production of software that provides access control. Software security is still being developed, but it is more promising for information security than security software. It is already in use and it is becoming more popular. In the future, both will be needed, but with software security, more is needed.
