Security vulnerabilities in a system are hardware  or software defects that directly affect the security of that system. After recognizing these weaknesses, the villains try to use them through a mechanism called "Exploit".

These weaknesses, once discovered, are more likely to be discussed and spread on social media than to be reported to the parent company of that hardware / software or to government sites for reporting such gaps.

Exploit is a term that describes a program created that performs an action using known vulnerabilities in a Hardware or Software system. The act of using an exploit against a void is called an attack or in English "Attack". The purpose of an attack is for the attacker to gain as much access to a system, to the data it stores, or to a specific service within the system.

Software Weaknesses
Software vulnerabilities are usually caused by errors in the Operating System or in the application code, despite the efforts of entire teams to identify and correct these errors they can be found and come to the surface. Microsoft, Apple, and other operating system companies release updates and add-ons to their applications and systems on a daily basis. Other applications, such as web browsers, mobile applications, and web servers, are updated by the company or organization responsible for them.

In 2015, a major weakness known as "SYNful Knock" was identified in the iOS of some Cisco devices. This weakness has enabled the attackers to take control of some Cisco Routers and monitor all communications on the network, as well as infect other devices on the network. Cisco had eliminated this weakness by publishing the new version of iOS, which was installed on these network devices.

The purpose of software updates is to stay in the latest version and avoid finding vulnerabilities. Some companies have entire teams doing intervention testing, otherwise known as "Penetration testing" or "Pen testing", in order to look for potential vulnerabilities in their systems, or even by contracting third parties to perform a such service to them.

Google's Project Zero is a practical example. Google, after finding that a large number of vulnerabilities have been reported in various types of software used by its end users, has formed a team dedicated to identifying these software vulnerabilities called Google Security Research.

Hardware Weaknesses
Hardware weaknesses are mainly caused by hardware design. As such an example is RAM Memory where capacitors are installed very close to each other. It has been found that due to their proximity, the constant changes applied to one of the capacitors can also affect the relative capacitors. Based on this design, a program called "Rowhammer" was activated. By constantly rewriting the same RAM address, the Rowhammer virus receives data from nearby memory addresses, thus creating a data flow chain through an address in RAM.

Hardware vulnerabilities are specific to some models of devices and are not vulnerabilities that are investigated or detected by any random attempt. So research on hardware vulnerabilities and the exploitation of these vulnerabilities is more at some very important target.

Categorization of Security Gaps
Most software security vulnerabilities can fall into one of the following categories:

Buffer Overflow - This gap appears when more data is written than the limit on a Buffer. Buffers are certain memory spaces (separate) for an application. By changing the data beyond the limits of a Buffer, the application accesses the rest of the memory reserved for another process, and so on until the system crashes, data is compromised, or privileges are obtained.

Non-validated input (Non-valid input) - Programs often work with data input. This data entered into the program may have malicious content, designed to force the program to work in an irregular manner. Example: a program that accepts a photo for processing. A malicious user can create a file-file with unknown dimensions and enter it into the system. This picture could force the system to reserve parts of memory for an unknown size.

Race condition - This gap is when actions or events do not coincide with the time when the action was requested or taken. Such an example could be when the date of creation of a document is earlier than the actual date of creation. Or the date of change of the document should be before the date of creation of the document, thus creating ambiguity.

Weaknesses in security practices - Systems and sensitive data can be protected through techniques such as authentication, authorization and encryption. App developers don’t have to create their own security algorithms because they may be more liked for researching the gaps in them. It is highly recommended that developers use security libraries that have been previously created, tested, and verified.

Access-control problems - Access control is the process of controlling who and how should be approached by managing physical equipment, accessing resources such as files and documents, other data, and what approach to have, in reading or changing the file.

Almost all access controls and security practices are passable if attackers have physical access to devices that have certain services (target). For example, no matter what data restrictions you set, the operating system cannot stop someone bypassing the operating system and reading the data directly to the removed disk - from another device (system).

Device and data protection is constant. It needs to be done constantly. Physical access should be restricted and encryption techniques should be used to protect data from theft or alteration.