Responsive & Rich Data Logging

Troubleshoot 75% Faster! Custom Alerts.
< 50 Second Setup.

Get Started

Sep 05, 2014

The Security Risks That Make Coding Errors Dangerous

Categories Security

Posted by Gen

TL;DR: As development cycles get shorter and shorter and demands on programmers' time increase, it can be tempting to take the easy route when coding a new app. Too often, however, coding shortcuts are open invitations to hackers. Now there's a way to troubleshoot your systems, apps, and databases quickly, simply, and affordably: OohLaLog!

Never have there been so many demands placed on programmers. Not only are they being asked to create more apps in less time, the programs are expected to run on many different platforms, including mobile devices.

As coders depend increasingly on generators, frameworks, libraries, APIs, and other tools, it becomes tempting to move code validation to the back burner. Considering how easy it can be for hackers to find holes in off-the-shelf development tools, that can be a big mistake.

A recent post on the Indusface blog identified seven security mistakes made by coders. Topping the list was to blindly trust off-the-shelf and third-party code. While it's not always practical to write the code yourself, it's important to ensure the source of the code in your app followed OWASP guidelines and other industry standards. All source code from a third party has to be checked for static and dynamic analysis.

Among the other poor coding practices that introduce security vulnerabilities are using hard-coded passwords, adding backdoor administrative accounts, and failing to encrypt sensitive data. All three of these techniques make hacking into the app much easier.

Perhaps the two most common security mistakes made by programmers are failing to validate inputs, and choosing not to restrict user privileges. Just as with encrypting data, validating inputs and limiting account privileges are time-consuming, but unless you do so, you can't say your app is secure.

While it isn't necessarily a security issue, many coders also fail to appreciate the need to ensure that users will understand the program's error messages and prompts. Taking a little time to let users vet the wording of such messages can reduce support costs and improve your organization's overall efficiency.

Programming errors are easier to avoid than to fix

Coding quality becomes a more serious issue as more and more industries and critical systems come to rely on software: healthcare, defense, energy, and financial are only some of the vital industries that depend on quality software for their day-to-day operations.

As the Open Web Application Security Project points out in the 2013 edition of its assessment of the 10 most critical Web application security risks (PDF), attackers are getting more sophisticated in their use of new technologies. In response to the growing dependence on component-based development, an entirely new category of security risk was added to the 2013 edition: Using Known Vulnerable Components.

OWASP Top 10 Application Security Risks

 

The updated edition of OWASP's list of the 10 most critical Web app security risks adds a new category: Using Components with Known Vulnerabilities.

OWASP rates the risks in terms of how easy or difficult they are to exploit, as well as by their prevalence, detectability, and technical and business impact (minor, moderate, or severe). Information is included in the report to help organizations determine how vulnerable they are to each risk, and how to prevent them. Also provided are example attack scenarios and links to sources for more information.

OWASP Risks

 

OWASP rates the risks in terms of prevalence, detectability, and impact on organizations.

Guidelines for security-focused coding

The go-to resource for programmers looking to ensure the safety of their code is the CWE/SANS Top 25 Most Dangerous Software Errors, which is compiled by the SANS Institute, MITRE, and leading software security experts. As if 25 dangerous coding errors weren't enough, an addendum to the list describes 16 more "weaknesses" that don't pose as great a threat to organizations.

The 25 coding vulnerabilities are broken down into three categories: Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses. As with the OWASP reference, each risk is rated in terms of prevalence, remediation cost, attack frequency, consequences, ease of detection, and attacker awareness. Tips are provided for preventing and mitigating the threats.

Security was the focus of the most recent update to SAFECode's best-practices guidelines for programmers. The second edition of Fundamental Practices for Secure Software Development (PDF) emphasizes the importance of testing for security at all phases of development. The heart of the design process is Threat Modeling, which analyzes a system's dataflow to identify vulnerabilities and the ways hackers can exploit them.

A good way to ensure your code is free of potential security holes is by using OohLaLog's cloud-based log monitoring and management system. The service incorporates stack traces, real-time pattern recognition, and dynamic metrics to speed troubleshooting of applications, databases and systems.

OohLaLog supports Ruby, Java, JavaScript, PHP, Grails, Python, .Net, Android, iOS, Oracle, Apache, Debian, MongoDB, MySQL, and other platforms. You can set custom alerts to notify individuals or entire teams when specific thresholds are met or exceeded. All Syslogs, app logs, and DB logs can be managed from a single console. Getting started takes only a few minutes and requires no downloads at all.

Visit the OohLaLog site for pricing information. A 30-day free trial is available, and the service offers a 100 percent satisfaction guarantee. Now you can reduce the amount of time you spend troubleshooting your apps and databases without putting a big dent in your IT budget!

*A good way to ensure your code is free of potential security holes is by using OohLaLog's cloud-based log monitoring and management system. The service incorporates stack traces, real-time pattern recognition, and dynamic metrics to speed troubleshooting of applications, databases and systems.

 

Responsive & Rich Data Logging

Troubleshoot 75% Faster! Custom Alerts. < 50 Second Setup.

Get Started

Categories Security

dancing hexapod