Some developers take shortcuts when it comes to application security, but security is a matter Sofmen takes very seriously.
Attackers can potentially use many different paths through your application to do harm to your business or organization. The costs of a breach can be astronomical; not just the monetary cost, but also the harm to your company’s reputation and loss of trust of your users.
The below table describes the top ten risks as identified by the non-profit organization Open Web Application Security Project (OWASP). OWASP provides tools and best practices to support the development of secure web and mobile applications. Sofmen abides by these guidelines.
Mitigating the Risk
To mitigate these risks, the OWASP recommends using the following top ten proactive controls. Sofmen incorporates these into our standard practice:
- Define Security Requirements:
A security requirement is a statement of needed security functionality that ensures one of many different security properties of software is being satisfied. Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities. Security requirements define new features or additions to existing features to solve a specific security problem or eliminate a potential vulnerability. OWASP has a catalog of available security requirements Sofmen uses as one resource for accomplishing this task.
- Leverage Security Frameworks and Libraries:
Secure coding libraries and software frameworks with embedded security help software developers guard against security-related design and implementation flaws. A developer writing an application from scratch might not have sufficient knowledge, time, or budget to properly implement or maintain security features. Leveraging security frameworks helps accomplish security goals more efficiently and accurately.
- Secure Database Access:
Four aspects to consider when designing secure database access are:
- Secure Queries
SQL Injection occurs when untrusted user input is dynamically added to a SQL query in an insecure manner, often via basic string concatenation. SQL Injection is one of the most dangerous application security risks. SQL Injection is easy to exploit and could lead to the entire database being stolen, wiped, or modified. The application can even be used to run dangerous commands against the operating system hosting your database, thereby giving an attacker a foothold on your network.In order to mitigate SQL injection, untrusted input should be prevented from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as ‘Query Parameterization’. This defense should be applied to SQL, OQL, as well as stored procedure construction.
- Secure configuration
Unfortunately, database management systems do not always ship in a “secure by default” configuration. Care must be taken to ensure that the security controls available from the Database Management System (DBMS) and hosting platform are enabled and properly configured. There are standards, guides, and benchmarks available for most common DBMS.
- Secure authentication:All access to the database should be properly authenticated. Authentication to the DBMS should be accomplished in a secure manner. Authentication should take place only over a secure channel. Credentials must be properly secured and available for use.
- Secure communication:
Most DBMS support a variety of communications methods (services, APIs, etc) – secure (authenticated, encrypted) and insecure (unauthenticated or unencrypted). It is a good practice to only use the secure communications options per the Protect Data Everywhere control.
- Secure Queries
- Encode and Escape Data:
Encoding and escaping are defensive techniques meant to stop injection attacks. Encoding (commonly called “Output Encoding”) involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example translating the “<” character into the < string when writing to an HTML page. Escaping involves adding a special character before the character/string to avoid it being misinterpreted, for example, adding a “\” character before a ““” (double quote) character so that it is interpreted as text and not as closing a string.Output encoding is best applied just before the content is passed to the target interpreter. If this defense is performed too early in the processing of a request then the encoding or escaping may interfere with the use of the content in other parts of the program. For example if you HTML escape content before storing that data in the database and the UI automatically escapes that data a second time then the content will not display properly due to being double escaped.
- Validate All Inputs:
Input validation is a programming technique that ensures only properly formatted data may enter a software system component.
- Implement Digital Identity:
Digital Identity is the unique representation of a user (or other subject) as they engage in an online transaction. Authentication is the process of verifying that an individual or entity is who they claim to be. Session management is a process by which a server maintains the state of the users authentication so that the user may continue to use the system without re-authenticating.
- Enforce Access Controls:
Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. Access control also involves the act of granting and revoking those privileges.
- Protect Data Everywhere:
Sensitive data such as passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws (EU’s General Data Protection Regulation GDPR), financial data protection rules such as PCI Data Security Standard (PCI DSS) or other regulations.Attackers can steal data from web and webservice applications in a number of ways. For example, if sensitive information in sent over the internet without communications security, then an attacker on a shared wireless connection could see and steal another user’s data. Also, an attacker could use SQL Injection to steal passwords and other credentials from an applications database and expose that information to the public.
- Implement Security Logging and Monitoring:
Logging is a concept that most developers already use for debugging and diagnostic purposes. Security logging is an equally basic concept: to log security information during the runtime operation of an application. Monitoring is the live review of application and security logs using various forms of automation. The same tools and patterns can be used for operations, debugging and security purposes.
- Handle All Errors and Exceptions:
Exception handling is a programming concept that allows an application to respond to different error states (like network down, or database connection failed, etc) in various ways. Handling exceptions and errors correctly is critical to making your code reliable and secure.Error and exception handling occurs in all areas of an application including critical business logic as well as security features and framework code.Error handling is also important from an intrusion detection perspective. Certain attacks against your application may trigger errors which can help detect attacks in progress.
The above information has been excerpted from OWASP which is freely available under the Creative Commons Attribution ShareAlike 3.0 license (CC-BY-SA).