Software flaws and solutions in cloud computing

Author: Iloka Benneth Chiemelie

Published: 15th-December-2014

INTRODUCTION

On a general sense, software flaws are used to make reference to malfunctions existing in a given software that can influence overall performance of such software negatively (Anderson, 1972; IEEE, 1990). For instance, a flaw in software designed to protect viruses for computer will allow such viruses to easily penetrate into the computer system and damaged files in the process.

In order to classify places that software flaws can occurs, the view of a security analyst in search for such flaws will be adopted. The first question becomes where are those flaws? Since operating systems normally define and enforce the basic security measures in a system, flaws occurring in this portion of a system will likely have more damaging effects, thus operating systems are the best places to begin when searching for flaws in a computer system (Anderson, 1972; IEEE, 1990; Bisbey, 1990; Bisbey and Hhollingworth, 1978; Brehmer and Carl, 1993; Chillarege et al., 1992; Neumann, 1978; Petroski, 1992; Peleeger, 1989). In any case, there is a need t focus on all aspects of the computer system because such analysis will help determine the exact place that is affected. Thus, the implementation of search for flaws in computer systems can extend beyond operating systems into support and application software.

Considering the above discussions, it becomes clearly that software flaws have high influence on the security of data in cloud computing. This because users need operating software (Microsoft, Unix, Linus, Mac, etc.) in order to access these data, and they also need support software in order to access help when needed, while application software are needed to perform certain functions such as programming, editing, etc. As such, flaw in any of these software will potentially have influence on data security of cloud computing systems.

In the past, a number of literatures have also been done in line with such understanding and the focus has been analyze how software flaws influences data security in the cloud. Findings from these literatures stand clear as testament to the understanding that software flaws does have negative impact on security of data in the cloud because researchers found that it allowed third-party access to stored data, thus leaking confidential information to hackers and others.

CURRENT SOLUTIONS FOR SOFTWARE FLAWS IN CLOUD COMPUTING

In order to protect computers from the issues discussed above, a number of protections have been developed by both engineers and users in other to out issues caused by flaws in computer security. Some of these solutions include:

Intrusion Detection System (IDS)

This is a system designed to keep a close record of network traffic for suspicious activities and alter the system or network administrator (Passive IDS), or in some cases block the IP address of the suspicious user from accessing the network (Active IDS). Numerous strategies exist for the detection of suspicious IP address having access into the network; and this means that this system comes in different varieties and detection methods. Some are networking based (NIDS), and some are host based (HIDS). Still on that hand, some are based on the signature of known threats, or by comparing traffic pattern with the baseline while also looking for some abnormalities in the traffic6. The weakness of this tool comes in the associated bottle neck formed on the monitored point.

Most of the companies and individuals alike have made use of this method to handle issues with infected computer and with hackers. In handling hacking, most of the companies and individuals make use of the IDS system in protection of their network. The counter effects from this system are being used up till this moment to determine how hackers penetrate a network or computer. This also include the use of Trojan horse, port and vulnerability scanning, packet sniffing, and other common hacks that have been discussed earlier.

When anti-virus software detects the presence of a given virus or an intruder in a system, the suspected file will be analysed and presented to the user. Actions such as disassembly, macro-scanning, and code analysis are normally undertaken in order to eliminate the virus or disconnect the intruder, but this depends on the type of file.

Check site

One of the most common methods used to gain access to users information comes in the form of phishing, in which the hacker programs a site to look exactly like the original website but hosted in a different domain name. As such, it is important that users always take extra time to review the domain name that they are accessing and ensure that such domain names are actually the original network and not phishing site. The modern application now involved verification with HTTP which is used to replace the HTP platform as a more secured internet access unit.

PROBLEMS OF THESE SOLUTIONS

Cookie poisoning - Most of the web application make use of cookies in saving their information such as the username and password or a timestamp on the client’s computer. However, these cookies are not always cryptographically secure and it makes it easier for hackers to modify them and configure the application to change their value – as such “poisoning” the cookies. The end product is that these hackers can then access to the user’s account and use it to make fraudulent transactions like purchasing and money transfer.

Manipulation of hidden fields - Usually, retailers in the e-commerce world make use of hidden fields in saving the sessions of customers, and as such eliminating the need for maintaining a complex database on the side of the server. Such fields are also used by retailers in storing merchandise prices. Hackers can view source codes on protected sites, and find the hidden field, then alter prices. The company might not detect such changes and as such shift the hacker’s commodity at an altered price and possibly send a rebate.

Parameter tampering - Most of the application ignore the need to confirm the correctness of common gateway interface (CGI) parameters that are embedded in the hyperlinks contained in such application, and so makes it easier for hackers to be able to alter these parameter. This might be beneficial to the hacker in a number of ways like allowing the hacker to secure a credit card with US$500,000 limit, skip the login screen in website or gain access to orders and information about the customers.

Buffer overflow - Through the exploitation of flaw in a web form, hackers can overload a given server with excess information and this will mean that such server will crash and shift down from the website.

Cross-site scripting - It is possible for hackers to inject malicious codes into a website, with such codes performing like if it is form the targeted site. This gives the attackers full access to the retrieved pages and can even send them data from the page.

HTTP response splitting - The Web cache can be poisoned by hackers both at the site and in the intermediate system, which will make it possible for these hackers to change the Web pages in the cache and perform numerous attacks against the users of such sites. Additionally, this gives the hacker a higher ability to making their activities secret.

Outdating – one of the major issue is that these software easily become outdated and as such less capable of handling the pressure to protect users.

SOLUTIONS FOR THE ISSUES

In order to prevent the above issues and ensure that users enjoy optimum security with their computing features, a number of process can be adopted as:

1.      Keep software updates

2.      Check for programing errors

3.      Monitor stored data to ensure that third part access is easily detected

References

ANDERSON, J. P. 1972. Computer security technology planning study. ESD-TR-73-51, Vols I and II, NTIS AD758206, Hanscom Field, Bedford, MA (October 1972).

BISBEY II, R. 1990. Private communication. (26 July 1990).

BISBEY II, R., AND HOLLINGWORTH, D. 1978. Protection analysis project final report. ISI/RR-78-13, DTIC AD A056816, USC/Information Sciences Institute (May 1978).

BREHMER, C. L. AND CARL, J. R. 1993. Incorporating IEEE Standard 1044 into your anomaly tracking process.CrossTalk, J. Defense Software Engi neering, 6, (Jan. 1993), 9-16.

CHILLAREGE, R., BHANDARI, I. S., CHAAR, J. K., HALLI DAY, M. J., MOEBUS, D. S., RAY, B. K., AND WONG, M-Y. 1992. Orthogonal defect classifi cation—a concept for in-process measurements. IEEE Trans. on Software Engineering 18, 11, (Nov. 1992), 943-956.

IEEE COMPUTER SOCIETY 1990. Standard glossary of software engineering terminology. ANSI/IEEE Standard 610.12-1990. IEEE Press, New York.

NEUMANN, P. G. 1978. Computer security evaluation, 1978 National Computer Conference, AFIPS Conf. Proceedings 47, Arlington,VA1087-1095.

PETROSKI, H. 1992. To Engineer is Human: The Role of Failure in Successful Design. Vintage Books, New York, NY, 1992.

PFLEEGER, C. P. 1989. Security in Computing. Prentice Hall, Englewood Cliffs, NJ.