Home > Uncategorized > Secure Web Programming

Secure Web Programming

Web Programming in and of itself is not the issue, so much as the Security of the Web Programming. Over the years there have been many people involved in “programming websites.” The distinction must be made here between a real web programmer and a web page designer. It is the dynamic back-end systems that typically create security vulnerabilities on web servers. Static web pages that do little more than show some content are not likely to cause havoc.

A Web Programmer is typically involved in a server-side language such as PHP, ASP, and other languages that are optimized for web applications. My specialty is Secure PHP & MySQL programming, especially for web and database programming applications. This does not negate the ability to comment on web security for ASP and other languages, as they all operate pretty much the same, just with different command structures and spellings. Data flows the same way, and potential security vulnerabilities are about the same. The only exceptions are associated with a Microsoft Web Server, which inherently provides regular security flaws and problems.

The question that arises is, “What is ‘secure web programming‘ as opposed to other types of programming?” This is a basic question that is most often overlooked by companies seeking programming assistance. A programmer is in a nutshell a person who writes code to build some sort of dynamic behavior or application to meet the needs of various projects. The sky is the limit on what the dynamics could be. They range from sophisticated scanning, response, and production systems, all the way down to a simple email address submit field for the local security news letter.

What sets a Security Programmer apart from other programmers is the attention to security. The vast majority of programmers have little or no understanding of true security, and produce copious amounts of security vulnerabilities for unsuspecting customers and companies. Where the regular web programmer is ignorant of security, the true security programmer designs and writes the code for applications with security in mind during every step of production. More than a few times I’ve heard programmers preach their knowledge of security, only to reveal their true lack of knowledge. It is an unfortunate reality that most customers cannot differentiate the security programmer from the ignorant programmer who makes great claims of understanding security. Unfortunately, it is a caveat that customers must beware on their own account, lest they fall victim to poor programming and to watch their Online business dissolve from attacks and the repercussions that follow.

Wikipedia: http://en.wikipedia.org/wiki/Defensive_programming
Defensive programming is a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. The idea can be viewed as reducing or eliminating the prospect of Murphy’s Law having effect. Defensive programming techniques are used especially when a piece of software could be misused mischievously or inadvertently to catastrophic effect.

Defensive programming is an approach to improve software and source code, in terms of:

  • General quality – Reducing the number of software bugs and problems.
  • Making the source code comprehensible – the source code should be readable and understandable so it is approved in a code audit.
  • Making the software behave in a predictable manner despite unexpected inputs or user actions.

The scope of this article is Secure Web Programming. Security Programming extends into many other mediums aside from web sites and web applications. Programmers who work with Java, C, C++ and other similar languages must observe similar protocols of Security Programming, else their applications may fal victom to many types of security vulnerabilities, both similar to and dissimilar from security vulnerabilities in web applications and programming.

Below are a few methods of attack that a Secure Web Programmer must be aware of, and have an expert understanding of to perform true Secure Web Programming.

Code Injection: Web servers may accept submitted data from web pages, or directly from intermediate sources, such as man-in-the-middle attacks. If the server-side application is not designed to recognize code from regular text submissions, the submitted code may be executed and the security vulnerability subsequently becomes a security exploit.

SQL Injection: Similar to Code Injection above, an SQL Injection submits a query structure or query modification to the server that is subsequently passed to the database for handling. If the SQL data submittedd is not filtered or rejected, the database may perform the submitted instructions. This may result in all database information streaming to the attacker, which may then be used for subsequent attacks, publication to the world, or attempts for monetary gain. As well, the database may be altered or even deleted, rendering the web application worthless.

Denial of Service (DOS): Web applications that are attacked with DOS may no longer respond to valid requests, may shut down and stop working, or result in the creation of security vulnerabilities that may be exploited. Although most DOS attacks simply render web servers unable to respond to real visitors’ requests, the web server may “break” instead and possibly allow other types of attacks to subsequently provide access to hackers for exploitation.

Buffer Overflow: A Buffer Overflow attack is when the amount of data submitted exceeds the allocated space to receive and handle it by the server, usually dictated by the web server application settings, and sometimes y the programmer. When the allocated space is insufficient for the submitted data, and the data is accepted, the additional data that was unexpected may overwrite adjacent memory space. The result may include system and application malfunctions and forms of security vulnerabilities.

In addition, there are external protocols to observe for the Big Picture of Secure Web Programming. Security Programming extends beyond the code itself, and into the realm of publc domain. Information handling includes both Internal and External displays of information, for both restricted and unrestricted access. It is not uncommon for a programmer with only code-level security experience to create a secure and valid application, which allowss the customer or admin to accidentally make more iformation public and external than intended.

Information Dissemination: Using credit card profiles for an example, some web applications may allow an admin to store sensitive information in a non-sensitive context. Although the admin may be secure from a server-side perspective, the information itself might be revealed to the world. Although the application may not be vulnerable to attack, the issue of securing the data itself may not have been handled correctly or appropriately.

Google Hacking: Once information is disseminated, it is likely that Google will index it and make it even more accessible to attackers. Google hacking, as coined by Johnny Long (the famous Google Hacker expert), is the art and science of using Google’s search features to specify very specific search criteria, resulting in unexpected results. For example, if the credit card information above had been disseminated via a public external medium, and Google managedd to index it, a Googlee hacker would quickly find that information and use it for their own purposes.

Note: Court systems and Police Departments will publicize your credit card information, if your purse or wallet was stolen and you are dumb enough to give the details to the officer. Not only will your credit card information be made immediately public, so too will your fukll name, home address, and other personal information. If your card is stolen, you had better call the credit card company first, before the police help Google Hackers abuse your account!

Now comes the question of, “How do I protect my web applications?” My first response to this questions is, “Make sure your programmer really does have expert knowledge and experience with security.” Anyone can buy a book on programming and build a simple email address submission form. This does not mean they are true programmers. Any programmer can buy a book on security and make grand claims of being a “hacker,” which may garner them some weekend dates, but does not make them security programmers. What differentiates a Joe Blow from a programmer is the same thing that differentiates a Programmer from a Secure Web Programmer; Experience and Expertise.

Code Audits & Code Reviews: If your web applications are already built, or have been significantly changed or updated, you may want to consider a Code Review. Especially when applications are developed by programmers who are unaware of security, a Code Review may reveal the security flaws that exist, point out where the reside, and define how to resolve them. If your programmer is not a Security Web Programmer, your next best option is to have a Code Review. In some cases, companies may opt for a Code Review as a third-party assessment to assure their secure web programmers did not miss anything.

Make sure your potential “Secure Web Programmer” provides a portfolio of past programming and security work, has reliable business references that declare that person’s programming and security skills as valid and expert, and make sure you communicate extremely well with that person so they understand your business, the project and all of its potential caveats before they start writing code. Programmers that hide in dark corners and reject communication for fear of making a friend should be managed more closely, because they are likely to miss the boat and go the wrong direction for lack of understanding the project at hand. You may have the smartest code writer around, but if there is a lack of communication, how can they build the most appropriate system to meet your business needs, and how will they protect it if they don’t understand the Big Picture? Most importantly, do NOT negate Security as a major component in developing your web applications!!

If you have questions about Secure Web Programming, or have concerns about your current web applications, you may contact me at andrewlandsman at emagined dot com or call Emagined™ at 888.235.1906 for a Security Consultation.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.