Web application compromises are on the rise. As a category of breach, they represent a high risk to organisations, and they are often intrinsically linked to personal and client data, meaning that a breach can have wide reaching implications.
Reflecting on the importance of securing web apps, we asked Rob Jones and Jon Kilgallon of Redscan’s DevOps team to share their insights into why cyber security is now an integral part of the software development process.
What would you say to a developer who might be thinking “cyber security is the responsibility of the IT team?”
RJ: As a developer, you must accept that regardless of what you make, cyber security is your responsibility. Thinking that security is someone else’s job can lead to development being the weak link in the chain. You must be mindful about cyber threats whilst developing applications to protect your employer and end users, but also because the cheaper, more sustainable path is to build security in at the development phase rather than firefighting once a product has been released.
JK: I’d say that hackers are not stupid – they actively go looking for poorly written applications where they can score quick wins. A web app that’s been released without rigorous security testing is very low hanging fruit. In some cases, vulnerable applications can be identified through Google searches, with the tools that a hacker would need to exploit them only another search away.
How do you think about security when developing applications?
RJ: It’s an upfront consideration, not just something that should be thought about last minute. A good developer should be aware of how the applications they develop could be exploited. Attention should be paid to sources of information and best practices, such as the OSWASP Foundation, as well as guidelines and standards promoting security by design. Not all vulnerabilities are overly complex or taxing to address; sometimes measures such as not shipping devices with the default password for new user accounts, or ensuring web apps have two factor authentication, are the most effective.
JK: It’s important that developers work very closely with testing teams to identify vulnerabilities at every stage of the development process. Seeking support from specialist penetration testers that can think like malicious hackers to help identify hidden exposures that QA teams might miss is also highly advisable.
How is cyber security responsibility reflected in coding decisions?
RJ: There are principles to follow throughout the development process to help ensure development teams fulfil their cyber security responsibilities. One guiding principle for web application development is that the network client is untrusted. If we apply this principle when thinking about where authentication should occur, we can conclude that checks should take place at the server. Code residing at the client side is vulnerable, as it’s trivial for an attacker to fire http requests to the server without running client-side code.
Which threats are currently on your radar?
RJ: Cross site scripting attacks (XXS), which allow hackers to intercept data, are on the rise and have claimed a number of high-profile victims, including eBay and British Airways. It’s a slight misnomer, as XSS attacks can be conducted against and within a single site, but developers need to think about how any data sent to their site will be interpreted by a browser.
JK: Another type of attack that developers need to pay attention to is SQL injection. SQL injection occurs when data that contains valid SQL code is passed to a system. Development teams need to ensure that this code cannot be executed on the underlying backend database. Again, some big names have been caught out by this type of vulnerably, including Epic Games, the developer of Fortnite. SQL problems are so widespread that there’s even an online hall of shame.
Has it taken you a lot of time to develop cyber security awareness?
JK: I have a lot of experience in secure development environments, but I wouldn’t describe security conscious development principles as any more difficult to master than other good development practices. Being at Redscan certainly helps as I’m encouraged to include security training and events in my CPD portfolio and have access to in-house penetration testing expertise, something many other organisations don’t have.
RJ: Collaboration is key. At Redscan, we discuss security issues all the time and bring in others for their professional skills. It’s part of a purple team culture, where we constantly test and challenge each other to do the best job we can. If your organisation don’t have security skills in-house, consider working with external consultants to provide advice and undertake specialist web app testing and build and configuration reviews.
What advice would you give to anyone wanting to create a security-minded culture?
JK: Start by talking about security during the development process. Make it a hot topic so you’re sharing ideas and reading about it. It should be part of your review cycle and discussions, whether that’s in an agile scrum or some other methodology. Cyber security should be part of the churn of discussion that surrounds every development project.
RJ: Fostering a cyber security culture starts with everyone regularly undertaking mandatory awareness training. Beyond this, a genuine interest in cyber security issues should be fostered so that developers actively keep abreast of security related news and learn from the mistakes of others. I’d also encourage every organisation to have a vulnerability disclosure policy, so there is a process for encouraging employees to shine a light on vulnerabilities when they’re found.
JK: Yeah, vulnerability management is hugely important. Some people can think that vulnerabilities being pointed out is in some way personal. It isn’t, it’s just life in modern development. Accepting this means that developers won’t be resistant to raising security issues.
Having a formal written policy is the best way to stand up to external pressures that might lead to corners being cut to meet deadlines.