Most of us have worked on a project that has gone overschedule and simply dragged on and on. There can be a number of reasons for such a delay, like bad planning, outdated methods, and poor communications, among others. However, recently, a programmer at Siemens was caught deliberately planting logic mines in the code to ensure that he’d be hired again in the future to clean up the mess that he himself made. Basically a broken window fallacy, he quite literally sabotaged the code, in order to secure future work for himself, subsequently delaying the project and costing Siemens far more than they anticipated spending.
While this scenario is quite rare, it is highly recommended to make sure that your product’s code was written properly before it is released to consumers. The following are some actions you can take that, allowing you to sleep soundly, knowing there aren’t any technological or PR-related disasters lurking around the corner.
Secure Application Development
The best way to ensure the safety of your product is to implement security in the early stages of the software development lifecycle (SDLC). It’s obvious this will save you a lot of time and money, considering just how expensive it will be to fix bugs later on down the pipeline. When analyzing requirements and choosing technologies and frameworks to utilize, consider the vulnerabilities that might set you back in the future.
In the architecture and design stage, teams ought to closely follow the guidelines in order to address some of the vulnerabilities that were considered in the previous stages. This is a critical stage, as far as security is concerned, because if all of the security threats are accounted for, they will not be able to damage your product in the later development stages. The development team will then need to conduct a code review to make sure that the product is free of bugs and functioning nominally. Let’s take a closer look at how to conduct such a review.
Security Code Review
As mentioned above, the security code review should be a standard part of your company’s development process, as it will prevent vulnerabilities from becoming full-blown issues. Such a code review should include:
- Input validation – This will prevent path manipulation and cross-site scripting.
- Parameterized statements – This helps guard against injection attacks in the event that input validation cannot be used.
- Safe memory management – This helps prevent issues related to memory, such as buffer overflow.
- Data encryption – This has become a worldwide security standard, since it helps prevent information breaches, both in rest and in transit.
While these are good measures to take into consideration, it is important to remember that the security code review will not replace application security controls, such as penetration testing. Before conducting the review, make a checklist of some of the things you are looking for, and then prioritize them. It is a good idea to create a threat model, since it will give your company a bird’s eye view of how all of the application components interact with one another, thus making it easier to discover flaws.
Let’s take a deeper look into what the penetration testing process looks like.
Before you even begin a pentest, be sure to create a thorough plan and a methodology as to how you will go about it. If you are using a third-party contractor to handle your penetration testing, be sure to ask them for a detailed description of what they plan to do and how they will go about it. If you are not sure where to start, OWASP (Open Web Application Security Project) has created a cheat sheet for you to follow. While it was created for penetration testing in an iOS environment, the same practices can be applied to other environments as well. Speaking of environments, it is important to identify areas of the environment that you would like to test since it might be too time-consuming and costly to test everything.
Penetration testing can be a very tedious and labor-intensive job, depending on the scale of the product, as well as the test itself Therefore, it is important to be patient. While it might be tempting to skip some details or steps along the way, such carelessness may compromise the entire test.
Finally, be sure to test all servers that interact with the app. The items that you need to pay particularly close attention to are the authentication mechanisms, open redirects, unauthorized file uploads, and cross-origin resource sharing. Since each testing environment is different, the methodology will need to be adjusted in order to adapt to those conditions. Additionally, be wary of the human factor. The penetration tester is a human being who gets tired like everyone else, therefore it is crucial to back them up when fatigue occurs. If you are stretched for testers, there are plenty of companies out there that can help you either augment your team or even conduct the entire test process themselves.
Don’t Wait Until it’s too Late
It seems almost every day we hear of a hacked business. This usually results in a big fine from government agencies and a loss in consumer trust. However, the security practices mentioned above can effectively help make sure this never happens. To ensure consumers feel safe using your products now and in the future, it is imperative to anticipate and discover security vulnerabilities before product release and plan out response procedures for those that remain unfound.