Do you remember the popular, James Stewart starrer, 1946 classic “It’s a Wonderful Life?
According to this movie, every time a bell rings, an angel gets wings.
Applying the same theory with the modern world today, it would go something like this:
Every time a programmer makes an application security error, a customer loses his/her confidential credit card information.
I’m talking about serious application security breaches that have recently gone way up in frequency as well as severity. Let’s take a look at some recent shocking facts.
According to the 2014 IBM X-Force Threat Intelligence Quarterly, that was just recently issued, almost half a million records were jeopardized in 2013. It also shows how the incidents of cyber attacks and breaches have increased from 2009 till the end of 2012, and how it persisted throughout 2013.
Some other observations from the report are as follows:
– SQL injection was identified as one of the main breach vectors since the tracking of public breaches began.
– Apart from all the recorded data, there are a substantial number of breaches that go undisclosed too.
Another interesting fact that was brought to light through the report, though not explicitly mentioned in it, is that Java-based threats and vulnerabilities have increased by almost three times since 2012. Now this is no surprise as, considering how Java enables cross-platform benefits, it also brings with it the same level of exposure to attacks across platforms. Once written, it can be deployed everywhere, but in the same way, it is vulnerable to multi-platform attacks.
“Java-based threats and vulnerabilities have increased by almost three times since 2012”
The ugly truth
As much as we hate to face the truth, the damages that data breaches can cost, are pretty staggering. The average cost of a data breach can go up to $ 7.2 million for a business, due to factors like Government fines, litigation, costs to repair and brand erosion. And it takes almost 80 days to detect a data breach, plus another 123 days or more than 4 months, to resolve the issue.
The costs involved in remediation at different stages of a project can be different, although the later in the stage, the higher the amount. A fix in the development stage costs about $80 per defect while one in the production stage can cost almost $7,600 per defect.
So it is clear from all these figures that, fixing application security issues in coding, while in the development stage can save all of us a load of money, not to mention efforts and mental suffering.
So what can you do to avoid this mess?
Tips to enhance application security
A data breach can put you through some of the worst days of your life for sure. But it’s not like there is nothing you can do about it. As a matter of fact, you can save yourself from almost 80% of the consequences by taking care of a few simple things. Here is what you can do:
- Sanitizing user input – This step mainly helps to prevent SQL injection attacks as well as cross-site scripting (XSS) and cross-site request forgery (XSRF) attacks. SQL injection targets web servers and XSS/XSRF attacks clients by corrupting the HTML that is given to the browser. You need to check all apostrophes while entering into the database and remove or neutralize them. This prevents people from running their own SQL code in your database. You should also take care to never use POST and GET variables directly in SQL queries. This way even if a user enters malicious data, the sanitize function will filter the data entered by the user before sending it to the database.
– Using White listed values
– Using in-built escape functions
– Data type validation processes
– Re-validating selections
- Incorporating static and dynamic application security testing processes – While SAST and DAST are not exactly the substitutes to secure coding practices, they can help in finding errors or mistakes that you might miss. They not only help in identifying latent security compromises but also be a part of your source control system and help train developers learn more about how exactly vulnerability manifests itself. Such application scanning systems can also figure out other incessant defects, and allow you to focus more on training efforts.
- Disabling error reporting features – Features, like the PHP error reporting feature, which are in-built, often help developers in resolving problems by displaying error messages on the page. While this may be helpful for the developers in fixing bugs, it may allow hackers to access important information like database login information. Hence, such features should be disabled.
- Better training on secure coding practices – This is something that requires the support and help of the management. They need to arrange and also fund training programs specifically for secure coding practices and ethical hacking classes. This allows developers to channel their efforts, the attacker in them, mailing lists and many other resources to combat security threats, and get up to speed on counter techniques and defensive programming.
Simple steps like these can go a long way into avoiding huge security issues. These were just some of the measures to avoid common problems. There are many more. What do you think can be added to this list? Let’s discuss.