You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Software vulnerabilities are one of the most common entry points for cyber attacks. This lesson covers how organisations protect their software through updates, patches and secure coding practices — all key topics for GCSE Computer Science.
All software contains potential weaknesses. These vulnerabilities may arise from:
When a vulnerability is discovered, it creates a race between:
A software update is a new version of a program that may include:
| Reason | Explanation |
|---|---|
| Close known vulnerabilities | Updates fix security flaws that attackers may already know about |
| Protect against new threats | Updates add defences against recently discovered attack methods |
| Compliance | Some regulations require software to be kept up to date |
| Compatibility | Updated software works better with other updated systems |
| Feature | Automatic Updates | Manual Updates |
|---|---|---|
| Convenience | Install without user action | Require the user to check and approve |
| Speed | Applied as soon as available | May be delayed if the user does not act |
| Control | Less control — updates may install at inconvenient times | Full control over when updates are applied |
| Risk | An update could introduce a new bug | Delay leaves the system vulnerable for longer |
Exam Tip: Most exam mark schemes recommend automatic updates for home users (convenience and speed) but acknowledge that organisations may prefer controlled rollouts to test updates before deploying them across the network.
A security patch is a specific update designed to fix a known vulnerability. Patches are often released urgently in response to a newly discovered threat.
A zero-day vulnerability is a flaw that is discovered and exploited by attackers before the software company is aware of it — meaning there is "zero days" of warning and no patch is available yet.
Zero-day attacks are particularly dangerous because:
Many of the most damaging cyber attacks in history exploited known vulnerabilities for which patches were already available:
| Attack | Year | Vulnerability | Patch Status |
|---|---|---|---|
| WannaCry | 2017 | EternalBlue (Windows SMB) | Patch released 2 months before the attack |
| Equifax breach | 2017 | Apache Struts | Patch released 2 months before the breach |
In both cases, the organisations had not applied available patches in time, leading to catastrophic consequences.
Secure coding means writing software with security in mind from the very beginning, rather than trying to add security later.
Input validation is the process of checking that all data entered by users meets expected criteria before the program processes it. This is the primary defence against injection attacks (SQL injection, XSS).
| Validation Type | What It Checks | Example |
|---|---|---|
| Type check | Data is the correct type | Age must be an integer, not text |
| Range check | Data falls within acceptable limits | Age must be between 0 and 150 |
| Length check | Data is the right length | A UK postcode must be 6-8 characters |
| Format check | Data matches the expected pattern | An email address must contain @ and a domain |
| Presence check | Required fields are not left empty | Username field must not be blank |
Input sanitisation removes or escapes potentially dangerous characters from user input. For example:
<script> tags from text input to prevent XSS attacks') in database queries to prevent SQL injectionAs covered in the Network Attacks lesson, parameterised queries (prepared statements) separate SQL code from user input, preventing SQL injection.
A code review is the practice of having other developers examine source code for security flaws, bugs and poor practices. A fresh pair of eyes often catches issues that the original developer missed.
Software should request only the permissions it needs. A mobile app that takes notes should not need access to the camera, microphone and contacts list.
Anti-malware software (also called antivirus software) detects, prevents and removes malicious software. It uses several detection methods:
| Method | How It Works | Strengths | Weaknesses |
|---|---|---|---|
| Signature-based | Compares files against a database of known malware signatures | Fast; reliable for known threats | Cannot detect new, unknown malware (zero-day) |
| Heuristic analysis | Examines code for suspicious structures or behaviours typical of malware | Can detect new, previously unseen malware | Higher rate of false positives |
| Behavioural detection | Monitors running programs for suspicious actions (e.g. encrypting many files rapidly) | Detects malware based on what it does, not what it looks like | May only trigger after some damage is done |
| Sandboxing | Runs suspicious files in an isolated environment to observe behaviour | Safe testing without risk to the real system | Sophisticated malware can detect sandboxes and behave normally |
Defence in depth is the strategy of using multiple layers of security so that if one layer fails, others continue to protect the system. No single security measure is perfect, so organisations combine many:
| Layer | Example |
|---|---|
| Physical | Locked server rooms, CCTV, security guards |
| Network | Firewalls, intrusion detection systems |
| Host | Anti-malware, operating system hardening |
| Application | Secure coding, input validation |
| Data | Encryption, access controls |
| Human | Security training, policies, procedures |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.