1.

The History of Software Security:

With proper evaluation of historical events, we can see the origins of modern defen‐ sive and
offensive techniques. From these origins we can better understand the direc‐ tion in which software
has developed, and make use of historical lessons while developing next-generation offensive and
defensive techniques.

Telephone phreaking

• In order to scale telephone networks, manual operators were replaced with auto‐ mation that relied
on sound frequencies to connect telephones to each other.
• Early hackers, known as “phreakers,” learned to emulate these frequencies and take advantage of
administrative tones that allowed them to place calls without paying for them.
• In response to phreaking, scientists at Bell Labs developed a dual-tone frequency system that was
not easily reproducable. For a long period of time, this elimina‐ ted or significantly diminished
telephone phreaking.
• Eventually, specialized hardware was developed that could mimic DTMF tones, rendering such a
system ineffective against phreakers.
• Finally, telephone switching centers switched to digital and eliminated phreaking risk. DTMF
tones remained in modern phones for reverse-compatibility purposes.

Computer hacking

• Although personal computers already existed, the Commodore 64 was the first computer that was
user-friendly and budget-friendly enough to cause a massive spread in personal computer adoption.
• An American computer scientist, Fred Cohen, demonstrated the first computer virus that was
capable of making copies of itself and spreading from one com‐ puter to another via floppy disk.
• Another American computer scientist, Robert Morris, became the first recorded person to deploy a
computer virus outside of a research lab. The Morris Worm spread to over 15,000 network-attached
computers within a day of its release.
• The US Government Office of Accountability stepped in for the first time in his‐ tory and set forth
official laws concerning hacking. Morris went on to be the first convicted computer hacker, charged
with a $10,500 fine and 400 hours of community service.

The World Wide Web

• The development of Web 1.0 opened up new avenues for hackers to attack servers and networks.
• The rise of Web 2.0, which involved user-to-user collaboration over HTTP, resul‐ ted in a new
attack vector for hackers: the browser.
• Because the web had been built on security mechanisms designed for protecting servers and
networks, many users’ devices and data were compromised until bet‐ ter security mechanisms and
protocols could be developed.

Modern web applications

• Since the introduction of Web 2.0, browser security has increased dramatically. This has changed
the playing field, causing hackers to begin targeting logical vul‐ nerabilities in application code
more than vulnerabilities present in server soft‐ ware, network protocols, or web browsers.
• The introduction of Web 2.0 also brought with it applications containing much more valuable data
than ever before. Banking, insurance, and even medicine have moved critical business functionality
to the web. This has resulted in a winnertakes-all playing field for hackers, where the stakes are
higher than ever before.
• Because today’s hackers are targeting logical vulnerabilities in application source code, it is
essential for software developers and security experts to begin collabo‐ rating. Individual
contribution is no longer as valuable as it was in the past.

4. Authentication and Authorization:

Because we are storing credentials and offering a different user experience to guests and registered
users, we know we have both an authentication and an authorization system. This means we must
allow users to log in, as well as be able to differentiate among different tiers of users when
determining what actions these users are allowed.

Furthermore, because we are storing credentials and support a login flow, we know there are going
to be credentials sent over the network. These credentials must also be stored in a database,
otherwise the authentication flow will break down.

This means we have to consider the following risks:

• How do we handle data in transit?

• How do we handle the storage of credentials?
• How do we handle various authorization levels of users?

5. Secure Sockets Layer (SSL)

One of the most crucial aspects of securing data in transit is the implementation of Secure Sockets
Layer (SSL). SSL was initially designed by Netscape in the mid-1990s and has undergone several
versions since then. The primary purpose of SSL is to encrypt data during transmission, reducing
the risk of a man-in-the-middle attack.

SSL Overview:

 Purpose: Encrypt data in transit to mitigate the risk of unauthorized access and
interception.
 Development: Introduced by Netscape in the mid-1990s, with multiple versions released
over time.
 Vulnerabilities: Despite its widespread adoption, SSL has been found to have multiple
vulnerabilities that impact its integrity as a cryptographic protocol.

6. Transport Layer Security (TLS)

Transport Layer Security (TLS) is a cryptographic protocol defined by RFC 2246 in 1999. It was
introduced to address various architectural issues present in SSL. While TLS shares the goal of
encrypting data during transmission, it is not interoperable with older versions of SSL due to
significant architectural differences.

TLS Overview:

 Purpose: Secure in-transit data from potential threats by providing a more robust security
framework.
  Development: Defined by RFC 2246 in 1999 as an enhancement and response to
architectural issues in SSL.
 Compatibility: Cannot interpolate with older versions of SSL due to significant
architectural differences.
 Security: Generally considered to offer more rigid security compared to SSL.

Implementation and Recognition

Both SSL and TLS implementations are crucial for ensuring the security of data in transit. Major
web browsers indicate secure connections by displaying a lock icon in the URL address bar when a
website's communication is properly secured via SSL or TLS. The use of "HTTPS" (HTTP Secure)
as a URI scheme ensures that TLS/SSL is present before allowing any data to be sent over the
network.

Recognition of Secure Connections:

 Browser Indicator: Modern browsers display a lock icon for secure connections, providing
visual assurance to users.
 HTTPS Requirement: The HTTP specification includes "HTTPS" or "HTTP Secure,"
requiring TLS/SSL for secure data transmission.
 Warning on Compromise: Browsers issue warnings to end-users if TLS/SSL connections
are compromised during HTTPS requests.

Application to MegaMerch
For MegaMerch, the priority is to ensure that all data is encrypted and TLS compatible before
being transmitted over the network. While the implementation of TLS is generally server-specific,
major web server software packages offer straightforward integration to initiate the encryption of
web traffic.

Conclusion
In conclusion, SSL and TLS play pivotal roles in securing data in transit, with TLS being a more
advanced and secure iteration designed to address vulnerabilities identified in SSL. The widespread
adoption of HTTPS and browser indicators for secure connections emphasizes the importance of
implementing these protocols for web applications like MegaMerch.