Category: Technology

These are practical, straightforward steps that developers can take, with code examples, links to Secure Software. Consider this article a sneak peek at the latest OWASP Top 10 list for developers. If you have questions or suggestions, we’d be happy to hear from you, Just send an email to  info@apptech.com.tr.

1. Protect Your Database From SQL Injection

One of the most dangerous (and most common) attacks on web applications is SQL Injection: attackers inserting malicious SQL into a dynamic SQL statement. SQL injection vulnerabilities are easy for an attacker to find and exploit using free tools like SQL Map or SQL Ninja, or even manually: try inserting a value like 1′ or ‘1’ = ‘1into the user name, password, or any other text fields and see what happens. Once SQL injection vulnerabilities are found, they’re easy to exploit.

Luckily, SQL injection is also easy to prevent. You simply need to parameterize your SQL statements, making it clear to the SQL interpreter which parts of a SQL statement make up the command and which parts are data. OWASP has a Cheat Sheet that explains how to parameterize queries in Java (using prepared statements or Hibernate) and in other languages.

2. Encode Data Before Using It

SQL injection is only one type of injection attack. Stopping SQL injection is easy. Stopping other kinds of injection attacks—LDAP injection, XML injection, XPath injection, OS Command Injection, and especially JavaScript injection (aka Cross-Site Scripting)—takes a lot more work.

The solution to injection attacks is simple in concept: if you can’t clearly separate code from data (which is what you do to prevent SQL injection using a parameterized API), you have to make the data safe before handing it off to an external interpreter, such as an XML parser, an OS command shell, or a browser.

To do this you need to output encode/escape data before handing it to the interpreter so that the interpreter will not recognize executable statements in the data.

3. Validate Input Data Before You Use It or Store It

All data from outside your program or service, especially data from remote clients, is evil and needs to be validated: files, parameters, HTTP headers, cookies, … It doesn’t matter if the client or the other system validated the data. You need to validate it again.

The basic rules of data validation are as follows:

• Don’t rely on client-side checking. Always check on the server.
• Use positive, whitelist validation rules wherever possible. Negative, blacklist checks that reject data if they contain dangerous or illegal values can be subverted through (double) encoding and other evasion tricks. Where you can, use strong whitelist rules that specify the size and range of acceptable values using regular expressions. Look to libraries like the Apache Commons Validator for help in how to properly check for data types like dates, currencies, IP addresses, URLs, and credit card numbers.

4. Access Control—Deny by Default

Deciding who needs what access to which data and to which features—and how these rules will be enforced—should be carefully thought through upfront in design. It’s a pain to retrofit access control later without making mistakes.

• Implement access control rules in a central, server-side management library, instead of sprinkling these rules throughout the business logic. This makes it much easier to audit and update the rules. Use the access control functions of your application framework, or use a security library like Apache Shiro to do this.
• Only use server-side trusted data (data that has been properly validated) to make access control decisions.
• Deny by default—all functions should check to make sure that the user is authorized before proceeding.

5. Establish Identity Upfront

Building your bulletproof authentication and session management scheme isn’t easy. There are lots of places to make mistakes, which is why “Broken Authentication and Session Management” is #2 on the OWASP Top 10 list of serious application security problems. If your application framework doesn’t take care of this properly for you, then look at a library like Apache Shiro to provide functions for authentication and secure session management.

Try to enforce multi-factor authentication if you can. If you have to rely on just User IDs and passwords, make sure to follow rules for password length and complexity. If you are using an email address as the User ID, be careful to keep it safe: bad guys will try to harvest email addresses for other purposes.

When storing passwords, you can’t get away with just salting and hashing the value anymore. OWASP’s Password Storage Cheat Sheet explains what you need to do and what algorithms to use.

6. Protect Data and Privacy

Protecting data and privacy is about access control (which we’ve already talked about), auditing (which we’ll cover under logging), and encryption: encrypting data in transit, at rest, and during processing.

For web apps and mobile apps, encrypting data in transit means using SSL/TLS.  Using SSL isn’t hard. Making sure that it is set up and used correctly takes more work. OWASP’s Transport Layer Protection Cheat Sheet explains how SSL and TLS work and rules that you should follow. The Cheat Sheet on Certificate Pinning explains how you can prevent man-in-the-middle attacks when using SSL/TLS.

The most common mistakes in encrypting data at rest are:

• Forgetting to encrypt data in the first place
• Trying to roll your encryption algorithm
• Mishandling keys or other setup steps for standard encryption libraries

OWASP has another Cheat Sheet on Cryptographic Storage which covers the different crypto algorithms that you should use and when. Libraries like Google KeyCzar or Jasypt will take care of the implementation details for you.

7. Logging and Intrusion Detection

Logging is important for more than troubleshooting and debugging. It is also critical for activity auditing, intrusion detection (telling Ops when the system is being hacked), and forensics (figuring out what happened after the system was hacked). You should take all of this into account in your logging strategy.

Watch out for Log Forging attacks where bad guys inject delimiters like extra CRLF sequences into text fields which they know will be logged to try to cover their tracks or inject JavaScript into data which will trigger an XSS attack when the log entry is displayed in a browser-based log viewer.

Review code for correct logging practices and test the logging code to make sure that it works. OWASP’s Logging Cheat Sheet provides more guidelines on how to do logging right, and what to watch out for.

8. Don’t Roll Your Own Security Code

Know your tools and use them. There are lots of built-in security features in frameworks like Spring Security, Ruby on Rails, .NET, AngularJS, and Play, along with iOS and Android mobile platforms that will take care of common security problems for you, if you use them right. Take the time to understand and use them properly.

9. Handle Errors and Exceptions Correctly

Error Handling isn’t sexy, but it has to be done right. Mistakes in error handling and exception handling lead to different kinds of common and serious security vulnerabilities:

• Leaking information that attackers can use to penetrate your system. Stack traces and detailed error messages can disclose too much technical information about your run-time environment or architecture. For example, “invalid user” or “invalid password” instead of “invalid logon” helps bad guys as much as it helps users.
• Missing or inconsistent error handling can lead to errors going unnoticed, unpredictable behavior, or crashes. A University of Toronto study found that small mistakes in error handling can lead to catastrophic system failures in large systems.

10. Build Security Testing Into Development

Make sure that you have good automated unit and integration test coverage for security features and controls (like authentication, access control, and auditing) and critical business features: code that handles money, private data, trade secrets, and admin functions. This has to include both positive and negative tests.

Other system-level security tests and checks can be automated in CI/CD using tools like Gauntlet, BDD-Security, and Zapper (a Jenkins wrapper over the OWASP Zed Attack Proxy). These tools make it easy to run security tests and provide clear pass/fail feedback.

It’s your code. It’s your job to make sure that it is safe and secure.

It’s essential for developers to include app security in their development plans. Here are several different ways to build a secure mobile application.

First comes the app concept–that’s the easy part. After the stroke of inspiration comes a lot of planning, outlining, and strategizing to make that app dream become reality.

There are a lot of factors that go into app development, and in a world where hacking, data leaks, and cybercrime is more prolific than ever security needs to be at the top of the list when starting a new project.

The last thing any app developer wants is their idea to go bust because of a major security flaw. With proper security planning and strategy, it doesn’t need to, though. Here are 10 tips to ensure your mobile app hits the ground securely.

1. Incorporate the security team from day one

Security should be part of the mobile development process from the first time the dev team sits down together. Whether you’re SWOTting, Scrumming, using DevOps, Rapid, or Agile it makes no difference: Include security so every change incorporates it.

When a change is made or a major revision is planned, always consult the security team so they know how to account for any issues that may arise.

2. Test, test, and retest

As reported on TechRepublic last year, 60% of developers lack confidence in the security of their code, yet don’t take steps to fix it. The problem, as NodeSource and Sqreen mentioned in their report, is partially due to testing–lots of developers just aren’t doing it.

QA is an important part of building secure code, and like security as a general concept, it shouldn’t simply be tacked on to the end of the process. Review code constantly and identify every potential security hole you can find, then fix it before it ends up live.

The biggest concern that developers have, according to the report mentioned above, isn’t actually due to lack of testing: It’s due to something else entirely, particularly the problems inherent in third-party dependencies.

3. Don’t assume the safety of third-party dependencies

It’s common for developers to incorporate portions of code available free or for sale from other sources: Why reinvent the wheel when it already works fine as-is?

Third-party code isn’t always safe, and according to the NodeSource/Sqreen survey cited above, only 16% of developers trust the third-party dependencies they use. 40% skip review for those third-party components, though.

Don’t be one of those programmers. Thoroughly pick apart your third-party modules to be sure they’re safe.

4. Careful with that API

APIs are an essential part of backend programming, but they’re also a security headache since they often need to face the outside world. Be sure that the APIs you’re using are verified for the platform you’re developing on.

Be sure to also incorporate an API gateway as discussed in this TechRepublic piece.

5. Think like an attacker

When you’re writing code, think about it as an attacker: Could you exploit this? What may seem like a minor issue not worth addressing could be a vulnerability a hacker could use to attack your application.

Code reviews should always include some time spent looking for ways to break the app. Don’t stop at obvious flaws either, some attacks are so inconceivable that you should be testing, and accounting for everything. That goes double for mobile devices, which are subject to a wide variety of environmental variables.

6. Eliminate attack vectors by minimizing permissions

Zero-trust security is one of the fastest-growing security methods, and with good reason: It assumes no one, and nothing, on a network, is secure. As such, only the barest permissions are granted to a user or a machine, and only as needed.

Your mobile app should be designed in the same way. If it doesn’t need access to the camera, or contacts, or the dialer, don’t ask for it. If it doesn’t need a constant connection, don’t program it with one.

Each permission an app need is another connection it has. The best-fortified castles only have a single entrance–think of your app like a castle and eliminate all those secret exits and hidden passageways.

7. Be mindful of what’s being stored on a device

Personal data stored by an app is ripe for the plucking–get rid of it, or move it to a secure location on the device. If you have to store sensitive or personally identifiable information on a user’s device, encrypt it.

If sensitive data is used by your app there’s going to have to be a compromise somewhere: Either it’s going to be on-device or on your servers, and both are a risk. As part of developing your app, take time to determine the best place for user data, both for the user’s sake and from a security standpoint.

8. Secure data transmission

VPNs, SSL, and TLS can all help secure data in transit, as can encrypting it between the sender and the receiver. Find a way to ensure your app is transmitting and receiving data securely so it can’t be intercepted or spoofed.

9. Use tokens to handle sessions

Tokens are the de facto way to handle user logins in the modern app world, and you should use them to better manage user sessions. Not only can they be easily revoked to ensure user security, but they’re also more user-friendly, which is always a plus for an app.

OAuth2, JSON Web Tokens, and OpenID Connect are all great methods for securing and simplifying, user logins.

10. Implement tamper protection

More of a problem for Android apps, which are easily decompiled, tamper protection is a must-have for security. Copycat apps have appeared in Google Play and fooled millions of users, and you don’t want your app to be one of them.

There are a number of different ways to tamper-protect an Android app, so implement one of them, or preferably more, to protect your users and your reputation as a trustworthy app choice.

Source: Ttechrepublic