• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
  • Knute Snortum
Sheriffs:
  • Liutauras Vilda
  • Tim Cooke
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Joe Ess
  • salvin francis
  • fred rosenberger

Secure by Design: Simple security flaw developers miss

 
Ranch Hand
Posts: 65
1
Eclipse IDE Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

What is an example of a simple security flaw most developers miss when designing new software?

Thanks!
 
Sheriff
Posts: 14750
245
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It might be an interesting exercise to list down what things you do as a developer to build security into your designs. From there, it might be easier for someone knowledgable with security to identify gaps in your practice.
 
Marshal
Posts: 67437
257
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Many security breaches have nothing to do with the programming; you simply phone up and ask for some information you shouldn't have.
 
Junilu Lacar
Sheriff
Posts: 14750
245
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here are just a few of the most common developer-related security lapses I have seen in my experience:

1. Poor input validation / failing to differentiate between trusted and untrusted input sources
2. Naive dynamic SQL queries that create SQL injection attack vulnerabilities
3. Poor secret management / passwords kept in plain text
4. Naive dynamic views that are susceptible to XSS attacks
5. Poor application exception handling - stack traces leaking out potentially sensitive info to the client
6. Poor logging practices - sensitive information written out to logs
7. Failure to manage security vulnerabilities associated with platform and technologies used - falling behind on security updates

These are just some of the most egregious I have seen. You'll find more at OWASP Top 10
 
Author
Posts: 1
  • Likes 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I think there are already some really good examples in this thread but if I would pick one thing that I think is common, and the culprit of many security flaws, it would be input validation.

Input validation can mitigate several vulnerabilities such as XSS, Open Redirects, SSRF, and more. The vulnerabilities can be complex but input validation is, at its core, not that difficult. Sure, some validation can be very tricky to get right but a little goes a long way and a lot of times security flaws are caused by a complete absence of validation.

Our observation is that there’s a challenge for developers to remember to validate input in order to secure the code. In Secure by Design we approach this challenge by stressing the importance of business/domain validation. That is, asking the developers to make the domain logic really crisp. The end goal is still to achieve input validation but we approach it, and motivate it, from a different perspective.

It's also good to remember that, in most applications, nothing is "just a string". Input is usually expected to be "something" and that "something" can be verified via validation.
 
Tomorrow is the first day of the new metric calendar. Comfort me tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!