What are common information leaks and how can hackers use information for malicious purposes?
Information leaks can also pose a threat to applications. A single information leak is often not a serious problem, but has the potential to provide an attacker with access to more serious vulnerabilities. For example, if a user enters a long string of text, rather than an 8-digit account number, a vulnerable application will come back with a string of information about what came back from the SQL server, often providing information to the attacker about what version of SQL is being used and how the system is constructed.
What does Symantec recommend for “best practices” for application development?
All software developers should be educated on the fundamentals of secure application development. Developers should also take a more holistic approach to application development, building countermeasures into the design process, as well as rigorous QA testing. While there is not one “silver bullet” for building secure applications, developers can employ multiple processes that examine vulnerabilities in different ways to ensure application security before production.
Do organizations need third-party validation for security of applications?
Some organizations need to comply with regulatory requirements, particularly in the financial services industry. If regulatory compliance is an issue, organizations should consider enlisting a third party for a penetration test, which will provide validation of the application’s security.