acm-header
Sign In

Communications of the ACM

Communications of the ACM

Securing Network Software Applications: Introduction


Ask a school-age child about Melissa, and instead of hearing about the "red-haired girl in Mrs. Stiefel's class," the most likely answer would point to the Microsoft Word macro virus that wreaked havoc around the world in March 1999. The impact of the ubiquitous World Wide Web, the fastest growing element of the Internet, is mind-boggling. The debate about its social and economic impacts will go on for ages, but one fact remains—the Internet is here to stay. Today we have the ability to conduct online shopping, talking, dating, and even smelling1 (business-to-consumer; B2C). Similarly, businesses can share and exchange information for more efficient business practices (business-to-business; B2B). And in the same vein, individuals—most of the time complete strangers—exchange useful and sometimes profitable information with each other (individual-to-individual; i2i) [1]. Information sharing over the Internet has become a prevailing practice in every segment of our e-society.

While extremely useful for conducting day-to-day business operations, the proliferation of e-commerce over the Internet has provided a perfect target for computer crackers, script-kiddies, and other such bad guys. Since the Web is being utilized by both small and large corporations, and by governments for conducting their business electronically, people with malicious intent do not have to leave their computers to bring a business to its knees. Although it is a little more difficult to take down a government's computer networks, it can be done. Recent cyber-warfare attacks between the Palestinians and Israelis in the Middle East conflicts indicate this is probably likely to become more common in the future. The reliance of a business on the Internet makes it extremely vulnerable to all sorts of attacks. While some readers may be viewing these words over the Internet, we can safely say that many people are trying to discover illegitimate ways to exploit loopholes in computers around the world.

Completely securing a computer against unauthorized access is extremely difficult—there are many ways for an attacker to gain access. In general, however, an attacker employs the easiest ways to fulfill his or her malicious intentions. Some of these attacks include shoulder surfing, dumpster diving, network sniffing, exploiting code weaknesses (such as buffer overflows), denial-of-service attacks, and others. These attacks can come from outside as well as from within. Hence, it is equally important to provide adequate safeguards for both internal and external threat sources.

At this point, it is important to understand some basic terminology. What exactly is security? According to Descartes, we know what time is until we are asked to define it. Similarly, we know or have a sense of what security is. But regardless of how we define it, security is a multidimensional concept that needs to be explored in detail to understand and measure it. Some of these dimensions include privacy, physical access restrictions, application availability, network confidentiality, content integrity, and access policy. Each of these dimensions is continuously evolving in terms of both scope and solution, but no standards can effectively address the subject. Security is all about managing risks. When people think of security, they generally refer to one or more of the following aspects (definitions as described by the Internet Society [1] are as follows):

  • Authentication: The process of verifying an identity claimed by or for a system entity.
  • Access control: Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy.
  • Audit trail: A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to final results.
  • Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes (such as any unauthorized system entity).
  • Integrity: The property that information has not been modified or destroyed in an unauthorized manner.
  • Availability: The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system.
  • Nonrepudiation: A security service that provides protection against false denial of involvement in a communication.

With evolving technologies, enabling new economic models via increasingly integrated and distributed business environments, security has an even higher priority. How then, are companies to cope and manage security? The software community has developed commonly accepted metrics to measure quality and performance. Nevertheless, do we have a commonly accepted, and yet practical, method to define and measure security?

The goal of this special section is to increase awareness of security-related issues. The intent is not to provide a how-to manual or an all-encompassing definition of security. Rather, we have attempted to highlight current and future dimensions of security that are expected to motivate investigations to answer these complex questions. Another objective of this section is to educate software professionals so that the security threats facing them in the development and deployment of Web-based software applications can be addressed. As quoted in various studies, the highest probability of threat sources comes from within [2]. Hence, with our society's increased reliance on the Internet, it is equally, or more important, for the intranet as well as extranet applications to be highly secure. It is imperative for us, as software professionals, to research and provide answers to the security threats facing society today and in the future.

The five articles selected for this special section cover various dimensions of security. "Security Models for Web-based Applications" by Joshi et al. concentrates on the need for access control in the context of Web-based applications. "The Privacy Practices of Web Browser Extensions" by Martin et al. addresses the privacy disclosure and data monitoring capabilities of browser extension software. Ghosh and Swaminatha's article, "Software Security and Privacy Risks in Mobile E-Commerce," examines software security and privacy risks unique to wireless (mobile) computing. "An Operating System Approach to Securing E-Services" by Dalton and Choo examines the problems surrounding software applications that compromise each other via loopholes from within, describing a Linux-based platform that implements the containment property to dynamically separate running untrusted or partially trusted services. And "Trust (and Mistrust) in Secure Applications" by Viega et al. explores several common ways in which erroneous trust assumptions in software applications can dramatically reduce security of those applications.

Will there ever be a completely secure system? No one can answer this question with any certainty. There is one guarantee, however, that this game of cat-and-mouse between the two sides will continue to occur even with the establishment of a "completely secure system." Protectors will devise more secure systems, whereas attackers will continue their efforts for breaking the same. Only time will tell as to who succeeds where. We hope the articles presented here will raise awareness about security and its associated dimensions, stimulate ideas for further research and development in security, and provide solutions for securing our computing resources.

Back to Top

References

1. Internet Society, RFC 2828. Internet Security Glossary, 2000; ftp.isi.edu/in-notes/rfc2828.txt.

2. Olson, J.S. and Olson, G.M. I2i trust in e-commerce. Commun. ACM 32, 12 (Dec. 2000), 41.

Back to Top

Authors

Imran Bashir ([email protected]) is Director of Network Engineering Systems (IT) at Qwest Communications International, in Ballston, VA.

Enrico Serafini ([email protected]) is Director of Business Objects Development Center (IT) at Qwest Communications International in Dublin, OH.

Kevin Wall ([email protected]) is Senior Architect (IT) at Qwest Communications International in Dublin, OH.

Back to Top

Footnotes

1 www.digiscents.com


©2000 ACM  0002-0782/01/0200  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2001 ACM, Inc.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: