Académique Documents
Professionnel Documents
Culture Documents
DON’T KN OW
AB OUT S E C UR I TY
(B U T S H OUL D)
WHAT YOU D O N’ T
KNOW A B OU T SEC U RI T Y
CAN H U RT YOU
Application security is no longer a nice-to-have.
Your organization might be looking to adopt a DevOps
methodology to put operational and non-functional
requirements into your development process. Even if you’re
not yet using a DevOps process, security must be addressed
earlier in development, to keep security from becoming CO N TE N TS
a gate. Development must become secure development.
5 Application Risks and How to Prevent Them
DevOps needs to become DevSecOps.
• SQL Injection
From the individual developer’s point of view, that means • Cross-Site Scripting
security is becoming a job requirement. This guide will help • Insecure Crypto
you build your knowledge of the most common application • Weak Access Controls and
Credentials Management
security risks and how to prevent them. Plus, we’ll point you
• Vulnerable Open Source Components
to additional resources for a deeper dive into the security
issues we discuss here. 3 Foundations of Secure Code
• Technology
Let’s get started!
• Processes
• Security Training and Skills Development
Where to Go Next
5 APP L IC AT ION
R ISKS A N D H OW
TO PRE V E N T TH EM
Application-layer attacks have emerged as the
number one source of confirmed breaches,
according to Verizon, and the stakes are rising.
SQL injection (SQLi) weaknesses occur when SQL injection is an OWASP Top 10 application Use parameterized queries. This type of
an application uses untrusted input data, such risk. Attackers can use SQL injection to query specifies placeholders for parameters,
as data entered into web form fields, as part access or delete data, change an application’s so that the database will always treat them
of a database query. When an application fails data-driven behavior, and do other as data, rather than part of a SQL command.
to properly sanitize this untrusted data before undesirable things. Prepared statements and object relational
adding it to a SQL query, an attacker can mappers make this easy for developers.
include their own SQL commands, which
the database will execute. Where prepared statements are unavailable,
remediate SQLi vulnerabilities by escaping
inputs before adding them to the query.
01 01010101001001010110101010 010 0110 0101010
1 01 010101011010100110010101010 010110 010101
01 0011001010101010010 01010110101010 010 0110
01 0101010101010101101010 0110 010101010 01011
U. S. PRESI DENTI A L ELECTI O N
0010101010011001010101010 010 01010110101010
See an SQL Injection
01 00110010101010101010101101010 0110 0101010
1 0 0101100101010100110 01010101010 010 0101011 Ahead of the 2016 U.S. presidential election, Example Cheat Sheet
01 010100100110010101010101010101101010 0110
01 0101010010110010101010 0110 01010101010 010 nation state-sponsored attackers used SQL injection
01 010110101010010011 0 010101010101010101101
01 00110010101010010110 010101010 0110 0101010
1 01 0 0100101011010101 0 010 0110 01010101010101
to compromise voter records databases in at least
01 011010100110010101010 010110 010101010 01111
two states, potentially allowing the attackers to
delete voter registration data and disrupt voting.
Cross-site scripting (XSS) vulnerabilities Cross-site scripting can be used to hijack Always sanitize input from search fields
occur when web applications don’t validate user accounts, spread worms and Trojans, and forms, and convert user input to a
and sanitize user input, and lack proper access browser history and clipboard single character encoding before parsing.
encoding for the output. An attacker can contents, control the browser remotely,
exploit XSS vulnerabilities to inject malicious and scan and exploit intranet appliances Make sure all data is validated, filtered,
script into a vulnerable webpage using and applications. or escaped before it is sent back to the user,
Encryption technologies are one of the Insecure crypto can lead to lost or destroyed Use security-focused open source libraries
essential elements of any secure computing data, including some of your most sensitive to introduce security controls into your
environment. However, coding secure information (e.g., personally identifiable application, including the OWASP Enterprise
crypto can be difficult due to the number information such as Social Security numbers, Security API and OWASP Java Encoder
of parameters that you need to configure. or bank or credit card details). Project.
Even a tiny misconfiguration will leave an
entire crypto-system open to attacks. Most modern languages have implemented
crypto-libraries and modules, so choose
one based on your application’s language.
Weak access controls include a poor Attackers can manipulate data and systems, Enforce strong authentication/authorization
password policy, such as a lack of two-factor dupe users into loading malware onto the with two-factor authentication and account
authentication or account lockout after a series system, or steal personal and confidential lockout after too many failed attempts, and
of failed password entries. Failure to enforce data, such as banking information and Social by auditing logins (e.g., IP addresses).
the principle of least privilege gives users Security numbers. Poor password storage
more access than they need, opening up more can lead to account takeovers. Lock down administrative accounts
Open source components speed development Open source code presents all the same Keep an up-to-date inventory of all the
cycles by providing ready-made code. But risks as code developed in-house, but it can components you use in your applications,
open source (and commercial, third-party) be much more difficult to maintain visibility so vulnerability managers can update
components come with risks. They may not into what components you’re using and components to secure versions when new
have had the same level of scrutiny as code where. This can lead to the presence of vulnerabilities are disclosed.
developed in-house. Pinpointing the location vulnerabilities in components that remain
of all containers, components, and libraries hidden for a long time. Automated software composition analysis
CAN A DA RE V E N U E AG E N CY
How Reduce Risk from Open
In March 2017, attackers exploited a critical code injection
to Source Components
vulnerability in the Apache Struts 2 library to gain unfettered
access to a web server of the Canada Revenue Agency,
putting Canadian taxpayers at risk of identity theft and fraud.
3 FOU N DAT IO N S
OF SE C U R E CO D E
controls the procurement Integrations with the development, build, and ticketing tools you’re already using mean you don’t
of AppSec tools, ask them have to change environments to open a separate tool (that can be annoying!). Testing tools that
integrate with bug tracking tools automatically open tickets in your backlog for new security
to make those tools freely issues, ensuring that nothing falls through the cracks.
available for your use.
Ask for testing tools with low false positive rates, to avoid unnecessary work.
The following AppSec
technologies will help you
Infographic Securing the Software Development Pipeline
get the job done:
and processes. You should Procedures for dealing with problems ensure security issues don’t get left until the end
advocate for processes of the process. Create policies around when to escalate issues to the security team.
New threats are On-demand, video-based courses you can access while you code help you get the job done.
Instructor-led training and eLearning courses will build your skills over time.
always emerging,
but cyberattackers Peer-led training and events, such as learning lunches, go a long way toward boosting
your awareness and security knowledge, and help create a culture of security.
continue to rely on some
tried-and-true methods, Security champions — this could be you, or another member of the development team
with an interest in security — can be the security conscience of your team, bringing a focus
such as SQL injection and to security at every stage of the development lifecycle.
cross-site scripting. Capture the Flag and Red Team/Blue Team exercises aren’t just fun and exciting, they can help
To maintain and extend find vulnerabilities and build a culture of awareness.
your security skills, work If you’re really serious about becoming a security expert, try to participate in internal or third-party
with security teams to bug bounties. The recognition is a reward in itself, but there could also be monetary prizes!
security knowledge, you’ll “Dark Territory: The Secret History of Cyber War,”
ultimately boost your value for by Fred Kaplan
your company. And maintaining “Secure Java: For Web Application Development,”
your security skills will bring you by Abhay Bhargav and B. V. Kumar
rewards, including the respect
of your peers and managers, WATCH
and keep you in demand for
Understanding Applications in the Security Ecosystem
the top jobs.
The Human Side of DevSecOps: Creating Security Champions
DE VSECOPS
GA LAXY
The Developer’s Guide
to the DevSecOps Galaxy
CONTACT US TODAY
LEARN MORE AT
VERACODE.COM