Security - more than just firewall and anti-virus software
Although, at the beginning of the Internet era, security was still considered to incur unnecessary costs during the development phase of an application, everyone is now sensitised to the risks posed by hackers, viruses and other vermin. Firewalls, anti-virus software, measures to counter spyware and intrusion detection have found their way into the IT landscape, both for the private user and for companies.
The 2005 situation report published by the Federal Office for Security in Information Technology (BSI) confirms this. For 83% of IT officers in German companies, IT security is one of the most important topics. And that is positive! The number of attacks is therefore reduced, the effects triggered by the actions of careless employees intercepted and a high proportion of the flood of unwanted advertising emails (so-called SPAM) withheld.
In the majority of cases, the risks come from within the company itself
The consistency and secrecy of important corporate data is, according to the statistics from the BSI, primarily jeopardised by errors and negligence on the part of company staff. A problem that is not limited to just exporting virus contaminated email attachments.
Intentional attacks are, in many cases, frequently initiated by internal offenders; this is done by using both user accounts with too many authorisations and also known weak areas in application. Although damage caused by intentional attacks is more seldom than damage caused by error or negligence, it is one of the damage incidents which leaves an exceptionally great extent of damage because internal confidential data in particular - one of the corporate assets most worthy of protection - are the target of these attacks.
An internal offender - whether member of staff or external consultant - has an easy time in the corporate network: firewall, intrusion detection systems do not have to be overcome. In addition, information about applications can be collected over a long period in order to specifically target the weak areas.
Types of risks and weak areas in applications
Attacks on applications can be divided into three types of risk: data which are only destined for a certain group of persons, are made accessible to third parties and can in this way cause a great deal of damage. The integrity of the data can also be jeopardised by the attacker manipulating or irreparably destroying it. Finally, attackers attack applications in order to disturb the availability or to completely paralyse them.
The sources leading to these risks are many and varied.
During the development phase of an application, detailed error messages are an essential means of tracing errors and analysing the program response. Such error messages occasionally manage to get into a release version of application software. A good example is an error message caused by a change to the application account for a database. Such error messages frequently contain information which indicate possible weak areas to potential attackers or simply supply further details about the system infrastructure: "User 'MyWebAppUser' cannot logon to server '192.168.23.22' - Password incorrect.". This already gives an attacker important information: There is one user 'MyWebAppUser' and one database server under IP '192.168.23.22'. Invaluable information to plan attacks and to deduce infrastructures.
This is to be avoided at all circumstances. All detailed information, which gives details about internal operations of application software should be replaced by a general application error message. Detailed messages can, in contrast, be stored in a programmed log to give administrators and developers the opportunity to analyse and eliminate errors during application operation. For the NET Framework, there are various options to centralise error messages, to implement logging and to present unspecific error messages to users without foregoing information regarding error elimination.
This is just one example of how applications can be made safer during the development phase with little effort. It is equally important to pay attention to validations of user data. Here the rule is: input shall be classified as a potential risk as long as the contrary has not been proven. Multi-stage validations on all levels of an application are necessary in order to avert attacks in the form of SQL injection or cross-site scripting.
Conclusion
Security must be made a central key topic in a company. It is not just necessary to guarantee safeguards against external attack; the testing of applications for mistakes and vulnerability must be part of the process.
swift.consult advises you on the choice of appropriate security measures at application level and beyond. Qualified personnel determine your requirement in respect of application security, detect weak areas and trim software development to security maximisation. Contact us today and take advantage of an initial non binding consultancy.
More detailed information
Lab
learn more