With the understanding that the Internet, thus Web application pro-gramming, is only going to become more advanced, every possible mea-sure needs to be taken to enmea-sure tighter security. A few of the
mainstream transactions that take place daily already include stock trading and tax filing; they will someday include voting and other inter-active high-stakes functions that rely heavily on security.
The best possible way to focus on security, as a developer, is to begin to think like a hacker. Examine the very methods that hackers use to break into and attack Web sites and use those same practices to prevent attacks.You test your code for functionality; one step further is to test for security, to attempt to break into it by some possible hole that you may have unintentionally left in it.
Do not rely entirely on quality assurance (QA) to be able to hack into your code; developers typically make the best hackers.There has to be an understanding for how code works, along with why certain state-ments are coded one way and others a different way.You also have to possess knowledge for the different kinds of programming languages, and how network security works. All of this information factors in when a hacker is planning an attack.
Optimally, three different levels should be looked at when consid-ering “total security” for Web applications.Teams and their respective tasks to investigate at those levels are as follows:
■ Development Team
■ Stay current on security threats and vulnerabilities.
■ Stay current on information relevant to your programming languages.
■ Plan for security in your code prior to any development work beginning.
■ Test your written code multiple times, with the assumption that it has vulnerabilities. Hackers may try repeatedly to crack code, quitting usually only after either a successful attack or when they are absolutely convinced there is no possible way to breach the security of the code. Just because you don’t see an obvious flaw does not mean that the code is secure. It probably just means you haven’t figured out the right way to break into the code yet.
■ Have your code reviewed by co-workers. Obviously code reviews won’t save your organization from a successful hacking attempt, nor are code reviews the main means to be
used by thinking like a hacker, but they do help to lessen the likelihood of a successful attack.
■ Perform regular security checks against code written for your Web application by attempting penetration attacks.
■ Use version control software with “copy of production” and
“development” clearly distinguished.
■ Follow coding standards.
■ Use code reviews to look for backdoors left in by previous developers.
■ Quality Assurance Team
■ Perform boundary testing.
■ Perform stress and load testing using tools such as sniffers.
■ Perform ad-hoc testing using unusual combinations, such as control key inserts.
■ Perform alternative path testing.
■ Perform penetration testing from a network level.
■ Use code reviews to look for intentional back door open-ings, if talent allows.
■ Information Security Team
■ Information security will approach security from a network level and from an individual workstation level, as well as working with developers on the application level.
■ Stay current on current virus, worm, and Web application threats.
■ Stay current on tools available to combat security vulnera-bilities/threats.
■ Have a security plan in place.
■ Perform regular security checks on network for any unknown vulnerabilities.
■ Ensure that entire organization is updating virus protection and OS service patches.
■ Work with individual users to maintain security at a work-station level.
■ Have a firewall and set up intrusion detection systems.
■ Stay current with network device security patches (such as firewall and intrusion detection).
For security to be at its best, with the biggest chance to succeed, the three levels must function together, much like a well-oiled machine.
Having only one piece in place will not provide any organization with enough protection to feel secure. At least organizations that handle secu-rity in this manner shouldn’t feel secure.With all the different methods that hackers are using to penetrate networks and applications, your team needs to be equally as skilled.
Summary
Hacking has evolved over a period of time. Many of the now infamous hackers, such as Cap’n Crunch, started out by breaking into the phone lines of Ma Bell.What started out as interest and curiosity was in reality an early form of hacking. Computer hacking really took off with the introduction of ARPANET, personal computers, and then the Internet.
Advancements in technology have a direct correlation to challenges posed by the hacking community.
The term “hacker” is one that has numerous meanings, depending on what one’s perceptions are and whether the name is self-ascribed.
The key difference that we should be aware of is the difference between a malicious hacker and an ethical hacker. A malicious hacker hacks with the intent to find a vulnerability and then exploit that vulnerability.
More ethical hackers may choose to disclose the vulnerabilities that they find to the appropriate people.What most often motivates a hacker is the challenge to find a hole, exploitable code, or a breach in security that nobody else has found yet.The method of an attack is as varied as the reasons for them, but the ones that we are all more familiar with are the DDoS attacks, virus attacks, and worm attacks; attacks more directly avoidable by developers include buffer overflow attacks, cookie poi-soning, and cross-site scripting.
Hiring a security professional—whether contract or full-time, net-work-oriented or development-oriented—is a step in the right direction towards serious defense. Prior to bringing someone on board, there has to be an understanding of what the security professional’s role will be, there should be a good security plan in place, and there should be regu-larly scheduled review meetings to ensure that the goals are being met with consistency.