It seems like every summer there’s another horror story about shark sightings and attacks at local beaches. JAWS taught us all that sharks are scary and should be avoided in the open ocean. That’s pretty solid advice and I can’t argue with it. But you know what else is good advice for enjoying the perfect beach day? Knowing how to swim, wearing sunscreen, staying under an umbrella, drinking plenty of water, avoiding rip currents, and steering clear of slippery jetties. Sure, the possibility of being eaten by a shark is real, but a painful sunburn because you forgot to reapply is far more likely. The same logic follows for cyber-attack and prevention. Some types of exploits are far more common than others and usually much easier to prevent as well.
The best way to protect applications from potential data breach is to code them securely from the start. Take for example injection flaws, which allow attackers to input code that can trick the app into executing a malicious call to the database. These types of flaws can dump passwords or allow a hacker to access and modify sensitive data among other fishy stuff. OWASP (the open web application security project) has been putting injection flaws on its Top 10 for nearly 15 years. In his SQL Injection Prevention Cheat Sheet author Dave Wichers says, “It’s somewhat shameful that there are so many successful SQL Injection attacks occurring, because it is EXTREMELY simple to avoid SQL Injection vulnerabilities in your code.” Preventing SQL injection flaws from showing up in your applications is like smearing on some SPF 50 and plopping yourself under a safely anchored umbrella. Doing the preventive work on the front end will save you a lot of trouble and it’s not all that hard to do either.
Even the specific programming language chosen for an application can impact its overall security posture. Veracode’s recent supplement to the State of Software Security Vol. 6 found that applications written in web scripting languages, like PHP, have far higher rates of vulnerabilities like SQL Injection and cross-site scripting than applications written in say, C or C++. Veracode CTO, Chris Wysopal, notes, “When organizations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to test for them”. Picking the right language to maximize your app’s functionality and coding with security in mind is like knowing how to swim before diving in.
There are a number of real world threats that any information security professional must be aware of and defend against. Some are easier to prevent than others and can dramatically lower your company’s overall risk. There’s sometimes a culture of fear around rare and complex exploits, like advanced persistent threats (shark attacks). But most bad actors follow the path of least resistance. Taking little preemptive steps, will make for a happy beach day and a safer application portfolio.
Want more tips and advice on managing your AppSec program? Check out our new CISO Kit for Application Security.