For software developers who quite understandably detest hackers, it probably doesn’t seem natural or appealing to think like a hacker in order to build better applications. But does the FBI not have to think like criminals in order to protect financial institutions? Does the DEA not have to think like meth manufacturers in order to locate those chemical-filled trailers? Do mothers not have to think like sugar-hungry sons in order to successfully hide a bag of chocolate chips in the vegetable crisper?
Thinking like a hacker is imperative for producing excellent, secure software. But since it’s hard enough learning to engineer awesome software, how can you be expected to have time to learn how to think like a hacker too? How about this: start with the basics. And then just keep doing the basics.
HTTPS Instead Of HTTP To Prevent Eavesdropping
The post-Snowden era has brought with it the fear of government spying and spying in general, spurring concerns over data encryption. Not without cause, of course. There is a simple step you can take in order to eliminate the chances of a good number of man in the middle attacks: using HTTPS instead of HTTP.
HTTPS is SSL over the HTTP protocol, which means that all data passed between two clients (or a client and a server) is encrypted. This protects from data sniffing over the Internet and within the organisation. At the very least, you have to encrypt data that transfers sensitive data such as social security numbers, credit card numbers, and any contact information. Last year was the year of the big embarrassing data breach and really, people, we have to have learned something from it.
Form Validation To Prevent SQL Injection
SQL injection is a type of attack that takes advantage of poorly constructed backend development. It’s been working like a charm for hackers for over 15 years, so maybe it’s high time the SQL injection party gets the lights turned out. When users send data through forms, some developers build a SQL string based on the input. This can allow a hacker to input a SQL statement and deliberately dump data from the database or even delete it.
Form validation prevents this type of attack by identifying malformed SQL and returning an error to the user. You can avoid this type of attack using stored procedures as well, but validating form input is still the best prevention method. Some software development frameworks even have their own classes included that validate SQL input.
Lock Accounts To Prevent Weak Passwords From Being Exposed
Brute force attacks occur when the attacker sends numerous “guesses” to your login forms in an attempt to access a secure area of the site. Brute force attacks mainly use dictionary guesses with some numbers factored into the attacks. It takes numerous attempts to succeed with a brute force attack. These aren’t necessarily time-efficient attacks. But thanks to a combination of weak passwords and limitless login attempts, they work.
As a developer, you may not be able to do much about people using ‘password1’ as a password, but you can lock out accounts and force password resets after a certain threshold is met. For instance, after five consecutive login attempts, lock the account and force a password reset. You can also simply lock the account and send the user notification that login attempts were made on the account.
Secure Your Server Because… You Need A Secure Server
Your server is the workhorse for your entire application, and it has to be tightly secured. Remove unneeded services on the server, and ensure that only administrators are allowed to access it remotely. Some administrators use alternative ports for remote administration to “hide” the server’s ability for remote control.
Any users on the server should be carefully scrutinised, especially considering that hackers sometimes add a backdoor to it to avoid detection. Another technique you can use is to separate the operating system files from the application files by partitioning the drive. This will prevent directory traversal attacks. However you manage your server security, make a point to review application security firm Checkmarx’s beginner’s guide to application security to ensure that you have your bases covered.
Testing, Testing, Please Please Please!
After you design and implement your security, you can either hope for the best, or you can test it. Testing can be done manually by qualified QA people or you can use third-party tools. If you aren’t familiar with standard attacks, find a third-party tool that will help you determine weak points in the application. Better yet, combine automated testing with human testing for the most comprehensive security analysis.
It’s A Process
Just as the DEA occasionally raids the wrong shifty-looking trailer and just as many mothers have lost bags of chocolate chips they’ve tried to hide in the freezer, you can’t expect to become an expert security developer overnight. But you can learn the ropes as you build software, consult with security experts, and use the right tools to find security flaws in the application.