Many people, when asked to name the largest software security problems today, might name specific classes of errors such as SQL injection, buffer overflow or cross-site scripting vulnerabilities. Yet focusing on these individual problems can lead to ignoring the broader challenges, which are often tied to developers’ mindsets, security consultant Kenneth van Wyk noted in a recent Computerworld post. He suggested that many security errors could be avoided if developers were less trusting and if they considered more than functionality when building products, noting that these two issues stem from the same inattention to security.
“When you focus only on building functionality and not preventing unspecified functionality, you don’t anticipate potential attacks, and you end up with the OWASP Top 10 and other lists like it,” van Wyk wrote. “This is my message: Building functionality is indispensable, but so is preventing code from doing things you don’t anticipate. Getting that right is the tough part, of course.”
Noting that developers should expect the worst, van Wyk suggested they think of software much in the way that one handles a toddler crossing a busy street: One shouldn’t count on the toddler’s good judgment to be enough to guarantee his or her safety. Similarly, developers shouldn’t expect their code to stay safe without giving it some security guidance.
Helping code meet security needs
To overcome their tendency to not anticipate security problems and focus exclusively on functionality, developers should take a more active role in understanding how data passes through an application and in anticipating exceptions, van Wyk wrote. He suggested developers pay more attention to input validation processes, in particular. By using positive validation approaches – whitelisting safe inputs rather than trying to catch unsafe ones – developers can increase the stability of their program, for instance.
This advice is also echoed in secure coding guides such as those published by OWASP and SAFECode. Limiting permissions and inputs is generally an effective method of preventing injection attacks. One of the best tools for catching potential vectors for such attacks is static analysis software. Using automated source code analysis, programmers can locate problems and fix them prior to release.
Simply by implementing tools to catch their errors, they can also avoid the dangers of assuming their code is safe or that vulnerabilities are too obscure for hackers to find. Static analysis highlights these errors, giving developers the necessary visibility and awareness needed to expand their focus beyond pure functionality.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.