Thursday, April 23, 2015

Developers vs Security Scans

As this diary post as SANS by Bojan reminds us, developers cannot and should not rely soley on Security Scans to ensure their application is secure. If you're used to kicking off a scan after you've completed your code such as HP Web Inspect, CAT.NET, Acunetix, Qualys, Nikto, Nessus, or whatever your tool of choice ... please don't forget there is SO MUCH MORE to TEST!

Your business logic you write in various areas of code such as Authentication and Authorization are just as critical. The recent MS14-034, plus the Authenticator flaw Bojan talked about both could've been prevented with simple Unit Testing, Fuzzing, and Business Testing. Validate your input, make sure all desired test cases including boundaries, outliers, etc. work. For example, check max int, min int, 0, negative values, null values, empty string, missing parameters, etc. Validate your conditionals and if statements work. Fuzz in some random data and see where your application breaks. You need to be able to handle all data at all times gracefully and properly. And write your code to fail closed, meaning if it doesn't match any of your criteria (your else statement or default case) then you deny access.

Dig into that code and protect your application!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment