Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The true root causes of software security failures

Kenneth van Wyk | May 22, 2013
Developers being overly trusting is one of them.

Next, when outputting data, you have to marshal that data and prevent it from causing problems wherever you're outputting it. If the output context is, say, XML-formatted, then your user data must not ever affect that context by containing things like "<" or ">". Failing to do that will result in injection attacks every single time. But it's tricky -- you have to deeply understand where you're sending data and how it will be used, and then safely format it for that context.

And you need to always expect the worst of users, APIs and all input/output. I liken this to the following scenario: You're a caretaker of a toddler, and the two of you need to cross a busy city street during rush hour. Now, toddlers are not generally noted for their good judgment, so it is your job to expect the worst at all times. When you see the toddler looking inquisitively at something shiny lying in the street, you must prevent the toddler from diving into the street to retrieve it. Failing to do that can of course have bad consequences.

In case you missed the analogy, your software is the toddler. Security professionals are akin to primary caregivers, who are attuned to the dangers that lurk because they are accustomed to always pondering what can go wrong. Software professionals are more like secondary caregivers, who have taken the toddler for rush-hour strolls less often and haven't learned to be so pessimistic. The thing is that, just as with those two caregivers, if we can get security professionals and software professionals to work together effectively, we will all benefit in the long run.

I recently worked with a group of software folks who seemed to accept this message and quickly grok it. After I was finished with my work, I was talking with my client, who told me that within a day of my project's finish, he'd had several requests from both his developers and his security team to explore the question of how the two organizations could better work together.

A sweet victory indeed, albeit just the first step of many to make meaningful changes in how that group develops software. It certainly isn't going to be an easy process, but recognizing that it must be done is vital.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.