Web applications security: just a matter of quality
I'm writing this article to warn all those people that think to pay less for developing their own websites.
I'm referring, as usual, to my own experience, but I think that the problem could be encountered in a quite high percentage of web applications in all the countries in the world.As I explained in my previous post, in Italy, nowadays, there are lots of web developers that offer websites (and consequently a certain high number of web applications) at very low prices. I've always asked myself if their products followed some kind of security quality standards. Most of times, developers who can sell a whole site for less than 300 Euros offer a CMS based solution. Even if I'm not a great fan of CMS, I must say that today it's become really rare to find a CMS with too huge security holes, so I won't discuss here the quality of a particular CMS, as I have not even a good knowledge on the existing CMS, a part from the most famous ones (that during the years should have gained more trustness about security).
Testing a little on the other kind of products, I've discovered that there are still huge security holes in different "low cost" PHP applications (I'm a PHP developer and I've not tested a lot of ASP applications, I must tell, but I suppose that the problem could be encountered also there). These applications can usually be identified by bugged modules used and reused on each site by the same developers that probably don't know much about web application security best practices to follow when developing, for example, a backend administration area.
One of the most frequent security problems (and maybe the most dangerous) are, as usual, SQL Injections "sensible" websites. The less dangerous thing a malicious surfer can do, in these cases, is to log as an administrator in simply using one of the most common SQL Injection code in a common login form.
Obviously an administrator can delete or modify (or add) contents to a site, so you can imagine which consequences could lead to such a kind of an attack.
But these could be only one of the problems that a SQL injection can lead to.
In a worse scenario the attacker could retrieve the database schema and/or delete whole tables and data.
I will never stop repeating to you, dear my web developers, that security is not only a ghost that we have not to be scared of and that bad things does not happen only to "others".
Keep in mind that you must never trust the user input, so always filter input and escape output (to avoid also those input that maybe could be entered without the use of your own application modules that filter what users enter with your website forms or other kind of inputs). If you are a fan of WEB 2.0 interfaces, remember that the validation of a web form can never be done only by Javascript, but you MUST repeat it also on the server side! Not all users surf your sites with javascript enabled! And for each kind of input, remember that it's easy enough to make fake requests to your server using several tools (such as Fiddler2, for Windows users).
It's not a matter of do a lot of work or to become a "wizard" about systems security, it's only a matter of learning some best practices and implement them into your code. It's your coding quality that can do the difference from a quite secure product and a non secure one. And security would be only one of the things you can improve learning and coding better.
0 comments
No comments available: add yours!
Login or register to add a comment (registered users only)
