Security Awareness
I have been working with application security for the past few years while doing my normal day to day development. I am very active in the security community and it always blows my mind how many developers are still uneducated about security. I believe that the trends of the hackers has moved from attacking the network to attacking the applications on the network. This is becoming more evident with the attacks that are cross browser and multi-platform. The industry has been pushing for products to designed with security in mind from the beginning, but that is far from happening in the “real world”. I have worked for quite a few companies and can attest that this is not always true. Businesses want to make money. Bottom line. That means that they want the product shipped as soon as possible. This usually cuts out the time to actually account for unbeatable security. A task that is impossible anyway.
Does this mean that we should not make the effort to do the simple things that are not high cost and time intensive. For example, there are still many applications that use dynamic SQL queries. It does not take any longer to use parameterized queries as opposed to just joining the string together. Sure, maybe you took the extra keystrokes to escape the apostrophe, but that does not provide foolproof security.
What about encoding the output that is sent to the browser. One of the biggest rules is to not trust inputs. That is not just the input from the user, but also from other components or the database. One should never assume that the data from the data store is clean. Encoding the outputs can make a huge difference in the security of your application. It is the biggest step to handle XSS.
Should all developers be expert hackers at ripping apart an application? No. I don’t think it really has anything to do with your ability to break a system. It has to do with your ability to understand how the attacks work, and what steps you can take to prevent them. Many of the techniques used do not take a lot of extra time to implement. Depending on your environment, some of the steps may be taken for you. ASP.Net controls will encode the values for you. It will also detect script tags on input forms (unless you turn that off). ASP.Net does a good job of starting the security practice, but does not cover it all. There are still many items that can be done to protect your code and data.
I hope to be able to provide some information in the next few posts that help developers get the right amount of information to perform their daily tasks.