Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Vulnerability (computer security)
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Causes== Despite a system administrator's best efforts, virtually all hardware and software contain bugs.{{sfn|Ablon|Bogart|2017|p=1}} If a bug creates a security risk, it is called a vulnerability.{{sfn|Ablon|Bogart|2017|p=2}}{{sfn|Daswani |Elbayadi|2021|p=25}}{{sfn|Seaman|2020|pp=47-48}} Software patches are often released to fix identified vulnerabilities, but [[zero-days]] are still liable for exploitation.{{sfn|Daswani |Elbayadi|2021|pp=26-27}} Vulnerabilities vary in their ability to be [[Exploit (computer security)|exploited]] by malicious actors, and the actual risk is dependent on the nature of the vulnerability as well as the value of the surrounding system.{{sfn|Haber |Hibbert|2018|pp=5-6}} Although some vulnerabilities can only be used for [[denial of service]] attacks, more dangerous ones allow the attacker to perform [[code injection]] without the user's awareness.{{sfn|Ablon|Bogart|2017|p=2}} Only a minority of vulnerabilities allow for [[privilege escalation]], which is typically necessary for more severe attacks.{{sfn|Haber |Hibbert|2018|p=6}} Without a vulnerability, an exploit typically cannot gain access.{{sfn|Haber |Hibbert|2018|p=10}} It is also possible for [[malware]] to be installed directly, without an exploit, through [[social engineering]] or poor [[physical security]] such as an unlocked door or exposed port.{{sfn|Haber |Hibbert|2018|pp=13–14}} ===Design factors=== Vulnerabilities can be worsened by poor design factors, such as: *Complexity: Large, complex systems increase the possibility of flaws and unintended access points.<ref name=Vacca23>{{cite book|last= Kakareka|first=Almantas|editor-last=Vacca|editor-first=John|title=Computer and Information Security Handbook|series=Morgan Kaufmann Publications|year=2009|publisher= Elsevier Inc|isbn= 978-0-12-374354-1|page=393|chapter=23}}</ref> *Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw.<ref>{{cite book | title = Technical Report CSD-TR-97-026 | first = Ivan | last = Krsul | publisher = The COAST Laboratory Department of Computer Sciences, Purdue University | date = April 15, 1997 | citeseerx = 10.1.1.26.5435 }}</ref> However, using well-known software, particularly [[free and open-source software]], comes with the benefit of having more frequent and reliable software patches for any discovered vulnerabilities.{{cn|date=May 2025}} *Connectivity: any system connected to the internet can be accessed and compromised. [[Air gap (networking)|Disconnecting systems from the internet]] can be extremely effective at preventing attacks, but it is not always feasible.{{sfn|Linkov|Kott|2019|p=2}} *[[Legacy software]] and [[legacy hardware|hardware]] is at increased risk by nature.{{sfn|Haber |Hibbert|2018|p=155}} System administrators should consider upgrading from legacy systems, but this is often prohibitive in terms of cost and [[downtime]].{{cn|date=May 2025}} ===Development factors=== Some [[software development]] practices can affect the risk of vulnerabilities being introduced to a code base. Lack of knowledge about secure software development or excessive pressure to deliver features quickly can lead to avoidable vulnerabilities to enter production code, especially if security is not prioritized by the [[company culture]]. This can lead to unintended vulnerabilities. The more complex the system is, the easier it is for vulnerabilities to go undetected. Some vulnerabilities are deliberately planted, which could be for any reason from a disgruntled employee selling access to cyber criminals, to sophisticated state-sponsored schemes to introduce vulnerabilities to software. Poor [[software development]] practices can affect the likelihood of introducing vulnerabilities to a code base. Lack of knowledge or training regarding secure software development, excessive pressure to deliver, or an excessively complex code base can all allow vulnerabilities to be introduced and left unnoticed. These factors can also be exacerbated if security is not prioritized by the [[company culture]]. {{sfn|Strout|2023|p=17}} Inadequate [[code review]]s can also lead to missed bugs, but there are also [[Static application security testing|static code analysis]] tools that can be used during the code review process to help find some vulnerabilities.{{sfn|Haber |Hibbert|2018|p=143}} In some cases, vulnerabilities can also be deliberately planted by an [[insider threat]], such as by a disgruntled emplpoyee selling access to cyber criminals or state-sponsored schemes.{{cn|date=June 2025}} [[DevOps]], a development workflow that emphasizes automated testing and deployment to speed up the deployment of new features, often requires that many developers be granted access to change configurations, which can lead to deliberate or inadvertent inclusion of vulnerabilities.{{sfn|Haber |Hibbert|2018|p=141}} Compartmentalizing dependencies, which is often part of DevOps workflows, can reduce the [[attack surface]] by paring down dependencies to only what is necessary.{{sfn|Haber |Hibbert|2018|p=142}} If [[software as a service]] is used, rather than the organization's own hardware and software, the organization is dependent on the cloud services provider to prevent vulnerabilities.{{sfn|Haber |Hibbert|2018|pp=135-137}} ===National Vulnerability Database classification=== {{missing information|section|the other causes|date=May 2025}} The [[National Vulnerability Database]] classifies vulnerabilities into eight root causes that may be overlapping, including:{{sfn|Garg|Baliyan|2023|pp=17–18}} #[[Improper input validation|Input validation]] vulnerabilities exist when [[input checking]] is not sufficient to prevent the attacker from injecting malicious code. [[Buffer overflow]] exploits, [[buffer underflow]] exploits, and [[boundary condition]] exploits typically take advantage of this category.{{sfn|Garg|Baliyan|2023|p=17}} # [[Access control]] vulnerabilities enable an attacker to access a system that is supposed to be restricted to them, or engage in [[privilege escalation]].{{sfn|Garg|Baliyan|2023|p=17}} #When the system fails to handle and exceptional or unanticipated condition correctly, an attacker can exploit the situation to gain access.{{sfn|Garg|Baliyan|2023|p=18}} #Configuration vulnerability come into existence when configuration settings cause risks to the system security, leading to such faults as unpatched software or file system permissions that do not sufficiently restrict access.{{sfn|Garg|Baliyan|2023|p=18}} #A [[race condition]]—when timing or other external factors change the outcome and lead to inconsistent or unpredictable results—can cause a vulnerability.{{sfn|Garg|Baliyan|2023|p=18}}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)