Facebook SDK

Thursday, January 2, 2014

Programming Security-Part 4 (Web Development)

Web applications are huge nowadays. While making desktop applications is still big business, it is more likely that software will be developed to be used within a web browser. Web development comprises a number of different technologies, often requiring different skill sets to create. Back-end programmers rarely deal with the front-end HTML, database admins are responsible for their little section of the system, and so on. It is a rare individual who can do all of these things (especially do them well); while one or two people can make a SOHO application, especially if it is self-hosted, anything that is going to handle a large number of clients will have to have teams of people working on them.

Obviously, with all these people, ensuring security in the design is paramount (or it should be). If any one part of the application is insecure, the entire system if vulnerable. Each person has to ensure that they think about security when they are doing their part.

Though the site is outdated, Microsoft has a good page of web development topics. It lists 10 vulnerabilities that occur in web apps due to bad design. While I won’t go into detail about all of these, I’ll touch on some of the more significant areas.

1.       Input validation

2.       Authentication

3.       Authorization

4.       Configuration Management

5.       Sensitive Data

6.       Session Management

7.       Cryptography

8.       Parameter Manipulation

9.       Exception Management

10.   Auditing and Logging

I’ve talked about input validation before but I’ll talk on it again. Input validation is the front-line in secure programming. If the attacker can’t get through the front door, hopefully he’ll move on to an easier target. Input validation attempts to block cross-site scripting, SQL injections, buffer overflows, and other, related attacks.

If you assume that all input from an external source has a malicious intent, it will help your mindset when it comes to defensive programming. Develop a central repository of validation and filtering code that can be used by other programs; this ensures that the same code is being used throughout all projects. This makes it easy to patch or upgrade while ensuring consistency among programs.

While it’s fine to have client-side validation, such as through JavaScript, ensure you have server-side validation too. What happens if the client-side software is bypassed somehow? An example of this is news media paywalls. By simply disabling JavaScript on the browser, a user can bypass a paywall and access the content anyways. With no server-side checking, the paywall might as well be non-existent.

As part of input validation, you need to accept known good data (based on type, length, format, and range), reject known bad data, and sanitize what’s left. Sanitizing includes stripping extraneous characters (like spaces or null characters), escaping out values to create literal text, and encoding URLs or HTML to make literal text rather than executable scripts.

When working with data over a network, assume that it will be intercepted. How would you deal with this? If you are sending data such as passwords and user names unencrypted, it’s only a matter of time before they are captured and used to break into your system. Therefore, use a secure transmission channel, like SSH or TLS/SSL, instead of unsecure protocols like TFTP or Telnet.

If you have a database of valuable information, like credit card data, addresses, etc., make sure the database is encrypted with a good encryption scheme. When storing passwords, don’t store in plain text; use a strong hashing algorithm and salt the passwords first.

Again, if the programming language you’re using has built-in libraries that will do what you want, use them. Don’t make your own and don’t rely on an unknown third-party’s library, as you’ll only create new vectors for attack.


Amy Smith said...

In your blog you have very well explained about the need and necessity of security as if any one of the application or web program's are left unsecured then it can harm the entire system.So we should not rely on the third party software for security and we should make sure that everything is perfectly encrypted and secure from different attacks.

Cody Jackson said...

Thank you for your comment. The thing to remember is that security needs to be done in layers; don't expect one thing, like a firewall, to keep you safe.

Kavleen Kaur said...

Hey Cody.

Thanks for such an informative post I was really seeking for this. Thanks again . GIT Infosys

Blazingsoftech said...

Really helpful tutorial.Your blog is really useful for the users,Especially for the fresh web developers.In my point of view with the help of your blog they can get a lot of information related to the website development.
Software and web development company in lucknow

Linda Grase said...

In your web journal you have great demonstrated about the necessity and need of security as though any of the provision or web project's are left unsecured then it can hurt the whole framework.

E-Commerce Website Design//Creative Apps And Webs