Making predictions about how technology will develop and affect our lives in the future is something that can be fraught with risk. When we see various experts tell us what they think is going to happen in the future, it is awe-inspiring and fascinating when we see their predictions come true. On the flip side, the incorrect ones are often cringe-inducing (and both are immortalized on the internet for future generations to applaud or jeer at forever).
One of the most famous (or infamous) of those prognostications comes from a Newsweek article in 1995, where Dr. Clifford Stoll, astronomer and computer expert, attempted to forecast the direction of the internet. The article was essentially a prediction that the internet would never amount to much. And while some of Stoll’s predictions were pretty accurate, he got it wrong on the whole.
For instance, when Stoll talked about e-commerce (he called it cyberbusiness), he asked, “So how come my local mall does more business in an afternoon than the entire internet handles in a month?” Considering the trillions of dollars that are spent on ecommerce today, that comment is pretty cringey.
I think we can all safely assume today that the internet is no fad. Today, thousands of companies use the Internet and web applications as their primary means of conducting “cyberbusiness”. The pervasive use of hybrid and public cloud infrastructure to develop and publish web applications faster and faster means that there is a continuous growth of that business on the web.
That growth also means that the potential for loss, theft or abuse is growing. Large databases are sitting behind those web applications, each containing all manner of sensitive information like credit card numbers, Social Security numbers, health information, product codes, intellectual property, etc. Cyber criminals want that data.
So how do we go about building protections against the bad people? How do we keep cyber attackers from abusing weaknesses in our web applications and infrastructure? There are 5 tips that can help you start getting ahead of cyber criminals when they come after your SQL-based apps that you have deployed on the cloud: Secure coding practices, vulnerability scanning and penetration testing, layered defense, blocking and tackling, and intelligent log analysis. For the first tip in this 5-part series, let’s start by looking at secure coding practices.
Secure Coding Practices for Web Applications – Don’t Trust the Input
The first line of defense against web application security flaws like injection and cross-site scripting should always be the creation and deployment of secure code. And the first rule of secure coding is that all input going into a web application should be considered untrusted and potentially malicious. The source of the data does not matter, even if you consider that source trusted (i.e., data coming only from an internal source of some kind and not from the public internet). Secure coding techniques can then be applied to make sure that ALL data that is coming into the web application is cleaned or blocked.
Let’s look quickly at an illustration of why secure coding is so important. A cyber attacker is focusing on a customer relationship management (CRM) application. In this case, the CRM app has a simple web form that a salesperson can use to input a 5-digit customer ID to look up their latest purchases. The cyber attacker finds the form and starts inputting various SQL commands to see if the form field is vulnerable to the much-dreaded (and still very common) SQL injection (SQLi) attack. At this point, there are two possibilities: 1) the developer wrote the web application in such a way that data plugged into that form is validated and thus hardened against SQLi; or 2) the form field allows pretty much any input, and the cybercriminal can send SQL commands from the web application directly into the database.
If the second of these two scenarios is true, the cyber attacker is taking advantage of code that essentially trusts all input and does not attempt to validate that input. Commands sent by the cybercriminal can be interpreted by the database to perform actions like downloading a table from the database, or maybe even the entire database. Or, if the cyber attacker is having a bad day and just feels like wrecking your day, commands can be issued to delete or overwrite the data altogether. Either way, if your business is using a vulnerable form like this, someone will soon be explaining to your customers how their data got leaked or destroyed. That will not be good for business.
The good news is that the first scenario of a hardened and secure web application is very achievable. Web application attacks like SQLi and others are very well documented. Methods of mitigation (i.e., sanitization, parameterization, whitelisting, and others) are easy to learn and can be found all over the web.
One such source for learning about how to code more securely is the Open Web Application Security Project (OWASP). Their Top 10 list of the most critical web application security risks is the de facto web application security standard for companies and regulating bodies around the world. Each of the Top 10 entries contains various methods for blocking attacks.
If you want to know more about specifically avoiding SQLi from the example above, you should take a look at the OWASP SQL Injection Prevention Cheat Sheet.
This post was a collaborative effort with Joe Hitchcock.