Is your application secure? Are you the next Target?
Writing a secure application isn’t easy. If it connects to the outside world, either directly through the Internet or through other applications, attackers will look for vulnerabilities in it. Here are just a few ways holes can turn up in code:
- Unsanitized form inputs. If an application blindly inserts form inputs into SQL statements, malicious responses can sometimes insert arbitrary SQL following a quotation mark. This can alter or damage the database.
- Unencrypted or poorly encrypted cookies and URL parameters. Users may be able to reverse engineer an unencrypted cookie in order to get unauthorized access.
- Storing passwords as plain text. If a data breach occurs, the intruder can do a lot more harm if all the user passwords are easily readable. Then the intruder has access to everyone’s accounts.
- Hard-coding credentials to other services, such as databases. An attacker might find a hard-coded database password by analyzing the code.
It’s possible to find many security issues by testing. A good QA engineer will notice weak cookies and unsafe forms. However, some flaws, such as bad password storage or hard-coded passwords, won’t reveal themselves with any application testing procedure.
The first requirement for security is to keep it constantly in mind while creating code. Writing sloppy code and promising to make it secure later leads to trouble. Developers should use coding patterns that embody secure practices, rather than fixing up each problem separately.
Code reviews during the development process need to include security considerations. Reviewers should check if the code falls into any of the common ways of posing a risk. Developers often don’t see their own mistakes.
Most developers aren’t security experts, though, and they can miss problems. The way to get the highest confidence that an application is secure is to retain an expert to review the source code and test the running application. When security is critical to an application, bringing in a specialist will pay for itself many times over if it prevents even one major breach.
Please contact me to learn how I can connect you with the expertise you need to deliver a really secure application. I can also recommend who to go to for a Penetration Analysis as well as static and dynamic code analysis.