This was originally posted in the Tips and Tricks thread and I thought it would be helpful to share with the Code It group.

 

The best way to secure your product, is building security in from the start. Most businesses view security as a priority, but software developers rarely apply this in their daily work and often find security vulnerabilities too late in the development lifecycle. Large organizations typically require exhaustive security requirements while smaller companies may cover only the essentials and both can provide very different levels of security. The problem is : big or small, we're all exposed to the same vulnerabilities and whether you're building web applications or server side architectiure, security should play an integral part of the software lifecycle.

 

Almost all software security vulnerabilities are the result of poor design and engineering. Programmers focus on building features and sometimes defer security to separate departments in the organization - those focused on security. While these teams are great, they don't have the same insight into the design or visibility into the source code. Developers are ultimately responsible for securing their software. As the complexity of the software increases, so does the trouble in managing the risk. To make life easier, build in security from the requirements phase (use cases and abuse cases) to the final stage of analysis of feedback received from the field (security breaks).

 

When planning and building software, it helps to understand how an attacker thinks and how they would exploit it. Attackers are pragmatic and tend to have a lot of free time. If functionality is about what an application can do, security is about what an application should not do. Software developers should know and understand the most commonly used attack patterns and should be familiar with more comprehensive lists applicable to their space. Knowledge is the best defense.

 

The following list is not exhaustive, but covers some of the most common types of attack patterns :

Cross-site scripting (XSS)

Cross-site request forgery (CSRF)

Argument injection (SQL injection)

Command delimiters

Simple script injection

Failure to handle errors

Race Conditions

HTTP query strings

User-supplied variable

URL encoding

Direct access to executable files

Sessions and blind trust

User controlled filename

Parameter expansion

Relative path traversal

Buffer overflow

Programs that access resources

 

There are many techniques to prevent these attacks, including threat modeling, good coding standards, code reviews, static code analysis, runtime monitoring, and many more. Traditionally, the focus of software security was on the OS and network layers, but recently more attention is focusing on web applications and browsers. As a developer, the best thing to do is be aware and build security in at every stage.

 

Software security can be a thankless job. When the system is secure, everything behaves as expected and you’re rarely noticed. But as soon as an attack occurs, all the lights will shine on you.

 

Better be prepared.

 

Fred