Application security: Past myths, present excuses

Over the past five years we've seen an unprecedented growth in the sophistication of application security measures. Unfortunately, that has been paralleled by an increase in the ability to penetrate applications.

With recent attacks more targeted at Web applications, it has become increasingly important to address application vulnerabilities overlooked in the past. Though some of the companies are maturing and addressing application security issues, a vast majority either underemphasize the importance of those measures or labor under misconceptions.

This issue is further exacerbated by the lack of proper process or guidelines. As a result, a vast majority of development managers rely heavily on pre-programmed tools such as AppScan from Watchfire or WebInspect from SPI Dynamics to identify the vulnerabilities in their applications. Based on my experience in this field, I have found that the problem is two-fold: people rely on out-of-date information for their decision-making and they lack initiative for staying current in this rapidly developing field.

Below are some of the common reasons I have received from development managers for believing their applications are safe and what they should do to ensure application security:

All of those points are related to authentication and should be properly addressed and documented.

We don't generate session ID.
Issue: Almost every developer knows how to create a session object and how to store, retrieve or delete values from it. What developers also need to understand is the story behind the scenes. When a session is created the session ID is generated, which usually is stored at the client browser in one of the three ways: (1) appended in the URL, (2) hidden form fields or (3) co

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

Email Address:
Create Password:
Confirm Password:

By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

To read more you must become a member of SearchSoftwareQuality.com

As an existing member of the TechTarget network please provide your password to activate your account (Forgot your password?):

Password:

By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Strategies Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Common mistakes in real-time Java programming Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Using the Firefox Web Developer extension to find security flaws Web application security testing checklist How to develop secure applications Building security into the SDLC (Software development life cycle) The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science' How to prevent HTTP response splitting Browser security a concern for website development Web application security and the PCI DSS PCI DSS compliance: Web application firewalls (WAFs) PCI DSS compliance: The basics

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

okies, where cookie usually is the default setting.

Solution: Two security measures are necessary to ensure security. Namely, in the server configuration panel, the cookie generated should be secure and the life of the cookie should be for that session only. Other points to consider:

As you can see, a little due diligence not only saves a lot of effort in patching these applications but also goes a long way toward integrating security in the design phase. Remember, every step, however small, is a step forward in securing your application.

-------------------------------
About the author: Anurag Agarwal, CISSP, is an application security specialist at Wipro Ltd. where he addresses different aspects of application security in the software development life cycle.

Rate this Tip To rate tips, you must be a member of SearchSoftwareQuality.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.