What are the inherent security risks in the application design process?
Developers need to build in secure coding techniques, such as encryption, authentication, and passwords. Until recently, many of these techniques have not been taught in college classes for software developers. Therefore, many software engineers writing code are not educated about these techniques and are not aware of potential problems. For example, there are standard pieces of the C/C++ programming language that are insecure and should be used with great caution, or omitted from the process altogether.
What are some of the most common vulnerabilities in enterprise applications?
Common vulnerabilities can include authorization bypass, SQL injection vulnerabilities, buffer overflow, and information leaks and can affect both commercial and custom applications. Authorization bypass occurs when a normal user is able to access information from a Website or other application that was meant for an administrator or select group of individuals.
SQL injection is a technique for exploiting Web applications that use client-supplied data in SQL queries without removing potentially harmful characters first. There are quite a few systems connected to the Internet that are vulnerable to this type of attack. In this situation, data provided by a user, such as account number and username, is used to look up additional data on the SQL database. A knowledgeable attacker can provide SQL commands which get passed to the database and executed. The attacker can then inject commands and manipulate the database to do what it wants, such as providing user account information and details.
Buffer overflow is another example of a vulnerability that has plagued the commercial software industry and can also appear in custom applications. A buffer overflow occurs when a program or process tries to store more data on a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to hold a limited amount of information, the extra data can spill over into adjacent buffers, corrupting and deleting the valid data held in them.
When do vulnerabilities find their way into the application design process?
Vulnerabilities typically find their way into applications during two phases of development—application design and application implementation. It is best to identify vulnerabilities during the design, rather than discovering issues during implementation and going back to re-design pieces of the application.
How can developers address security from the beginning of application development and design?
A holistic approach to building security into the development lifecycle will save tremendous amounts of time and money because problems are identified early in the process and continue to be addressed at each step. Security practices should be in place during requirements planning, design time, implementation, and testing time, in order to catch the majority of problems as early in the cycle as possible.