Every tech startup founder should have basic knowledge on software vulnerabilities. When creating software, particularly bootstrapped apps with the goal of just getting an MVP out there, security is an often-overlooked aspect that results in loss of revenue and time in the long run for founders, investors, and developers. The following is a primer on software vulnerabilities.
The fact that we can represent security patterns by intelligent data is a huge advancement in the world of information security. Intelligent data is data that is clear, and unambiguous; based on different values of this data, decisions are made.
To understand how this all came to be, we have to take a look at a brief timeline of events in the computing world, because software vulnerabilities are as old as software itself.
In the 1950s, John von Neumann stated that there is a similarity between computer systems and the human brain, thus there must be flaws in computer systems, because there are flaws in human genes. Two decades later, researchers proposed original research projects focusing on projection and security analysis of operating systems. In the 1988, Robert Morris exploited a vulnerability in UNIX and created the Morris Worm, which affected about 10% of computers worldwide. That same year, Carnegie Mellon University founded the Computer Emergency Response Team (CERT). CERT starts to collect software vulnerabilities systematically. Then in 1999, MITRE creates Common Vulnerabilities and Exposures (CVE), which provides the standard for prevailing software vulnerabilities to share data across separate repositories.
Vulnerability enumeration is about building the basic database of software vulnerabilities out there. It deals with the empirical findings in the early analysis stages. When a vulnerability in software is found, the data is structured and filed in vulnerability databases, security bulletins, or vulnerability directories and indices.
There is a very large volume of software out there in the world, and it’s an incredibly hard task to keep track of it all. Add to this the fact that disclosure of software vulnerabilities is avoided by large corporations due to commercial reasons. For example, Equifax wasn’t too excited about being hacked. A few years ago, Target took a long time to acknowledge the security breach they had.
There are quite a few large companies that have built vulnerability databases. A few examples are:
- Microsoft’s Security Bulletins
- HP’s Security Bulletins
- IBM’s ISS X-Force Database
The main challenge that vulnerability enumeration faces is unifying the description of vulnerabilities as well as keeping track of the excluded ones. The former challenge was tackled by the United States National Vulnerability Database (NVD). The NVD provides information on features, impact type, range, vulnerability type, and other details. They omit the vendor of version of the software, however. The latter is still a serious problem. New software is being created daily and there are no guarantees that developers are adhering to safe coding practices. Founders, CEOs, and CTOs need to be wary of software vulnerabilities in order to prevent their products from being targeted by malicious attacks.
A good CEO for a tech startup has knowledge about the technologies used in his or her product.
About the Author
Pablo Cortez is an undergraduate student currently working towards his Bachelor of Science in Computer Science in the College of Engineering at the University of Nevada, Las Vegas (UNLV). Since 2014, Pablo has held different positions as a web developer and internships as a software developer, most recently having worked at the SWITCH Innevation Center. Pablo is currently the lead web developer for the United Labor Agency of Nevada and has joined the Big Data Lab at UNLV as a researcher under the tutelage of graduate students and faculty, currently researching image processing algorithms.
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of RVF or UNLV. In addition, thoughts and opinions are subject to change and this article is intended to provide an opinion of the author at the time of writing this article. All data and information is for informational purposes only.