Wikipedia

Vulnerability (computer security): Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
HourWatch (talk | contribs)
48 edits
m Blue link
Line 23:
 
===Development factors===
Some [[software development]] practices can affect the risk of vulnerabilities being introduced to a code base. Lack of knowledge about secure software development or excessive pressure to deliver features quickly can lead to avoidable vulnerabilities to enter production code, especially if security is not prioritized by the [[company culture]]. This can lead to unintended vulnerabilities. The more complex the system is, the easier it is for vulnerabilities to go undetected. Some vulnerabilities are deliberately planted, which could be for any reason from a disgruntled employee selling access to cyber criminals, to sophisticated state-sponsored schemes to introduce vulnerabilities to software.{{sfn|Strout|2023|p=17}} Inadequate [[code review]]s can lead to missed bugs, but there are also [[Static application security testing|static code analysis]] tools that can be used as part of code reviews and may find some vulnerabilities.{{sfn|Haber |Hibbert|2018|p=143}}
 
Poor [[software development]] practices can affect the likelihood of introducing vulnerabilities to a code base. Lack of knowledge or training regarding secure software development, excessive pressure to deliver, or an excessively complex code base can all allow vulnerabilities to be introduced and left unnoticed. These factors can also be exacerbated if security is not prioritized by the [[company culture]]. {{sfn|Strout|2023|p=17}} Inadequate [[code review]]s can also lead to missed bugs, but there are also [[Static application security testing|static code analysis]] tools that can be used during the code review process to help find some vulnerabilities.{{sfn|Haber |Hibbert|2018|p=143}}
 
In some cases, vulnerabilities can also be deliberately planted by an [[insider threat]], such as by a disgruntled emplpoyee selling access to cyber criminals or state-sponsored schemes.{{cn}}
 
[[DevOps]], a development workflow that emphasizes automated testing and deployment to speed up the deployment of new features, often requires that many developers be granted access to change configurations, which can lead to deliberate or inadvertent inclusion of vulnerabilities.{{sfn|Haber |Hibbert|2018|p=141}} Compartmentalizing dependencies, which is often part of DevOps workflows, can reduce the [[attack surface]] by paring down dependencies to only what is necessary.{{sfn|Haber |Hibbert|2018|p=142}} If [[software as a service]] is used, rather than the organization's own hardware and software, the organization is dependent on the cloud services provider to prevent vulnerabilities.{{sfn|Haber |Hibbert|2018|pp=135-137}}
Retrieved from "https://en.wikipedia.org/wiki/Vulnerability_(computer_security)"