In today’s fast-paced world, software developers are often pushed to their limits, especially when it comes to working on projects with strict deadlines (and often commissioned at short notice).
These “quick deliveries” come with a price though, as unwanted flaws and vulnerabilities may sneak into the code. But there are ways of mitigating these risks, such as having proper QA procedures, using well-defined testing processes and tools, and educating programmers to apply a so-called “secure by design” approach.
Even today, a great many software developers aren’t focusing on security as much as they should. Some have never received proper secure development training from their employers, while others are trying to speed things up by borrowing third-party code – which isn’t wrong, but might contain undetected bugs.
All of this, together with customers’ focus on quick delivery instead of security, makes the goal of creating safe software more difficult to achieve.
This affects users too. Some flaws may be so serious that an attacker can steal sensitive data, hijack a session, or even impersonate the victim. Yet there are recommendations for developers that might help to avoid some of these problems, specifically by applying secure by design practices. October – as European Cyber Security Month – is a good time to remember some of the most important ones.
For starters, this approach encourages developers to create their applications with security in mind. An important part of this is a focus on the three basic principles that underline information security:
- Users are only granted access to data for which they have permission.
- Systems should ensure that unauthorized users are not allowed to manipulate or tamper with data.
- Systems grant access to data to authorized users when they need it.
The OWASP Foundation, which advocates the secure by design approach, is aiming to help developers and companies create and operate applications that can be trusted by users. To achieve this, it publishes the most common vulnerabilities so that anyone can identify them when they are encountered online. These are the top three:
- Injection flaws affecting SQL queries, OS commands, program arguments and others is the number one.
Example: In a vulnerable system an attacker inserts a script into the login form instead of legitimate account data – such as a username or password. The interpreter – a program that the user cannot see but which is performing the given instructions – executes the unwanted command and allows the attacker to access data in the host system, steal it, corrupt it, deny access or in the worst case take complete control.
- Broken authentication and session management is another widespread and commonly exploited flaw in which a web application fails to protect sensitive data.
Example: A user identifies himself (usually) by providing a username and password, and receives a session ID by the application linked to his credentials. However, if the connection is unencrypted an attacker might use a man-in-the-middle attack to capture sensitive data in transit. Malicious users can also hijack the session or, even worse, impersonate the victim by exploiting the session ID displayed in the URL.
- Cross-Site Scripting, also dubbed XSS, is another common vulnerability. It allows an attacker to compromise or take over a user’s account and retrieve data from it. The attacker can also redirect the victim to a malicious page or install malware on his system.
Example: The user receives an email or a message on social media that contains a malicious link. When the victim clicks on it and is redirected to the site, a script embedded by the attacker is executed that allows him to hijack the user’s session or retrieve data from the site.