College Curriculums Lacks security module Not updated Programmers Hard to find Lack formal training unaware
Xss or Cross site scripting Sql Injection Overflows Format String
Bug is reported Programmer spends time learning about it Implements fix Increase in development time and cost Later patch might overwrite previous fix Vulnerability reintroduced
Security/input/output validation framework How? Identify risks posing tasks in the application: Grabbing user input reading/writing to files Displaying data Using Sql Displaying sensitive user data buying an item
Identify common vulnerability types to each risky task as well as best practice approach to locking them down Created in conjunction with senior member of development team and security consultant.
Grabbing User Input: Utilize strong data types when applicable Identify and enforce data length restrictions Identify and enforce acceptable character white lists when utilizing strings. Reading/writing to files Perform and enforce lowest rights permission checking.
Displaying Data: Create whitelist of acceptable characters Characters not on list should be escaped, stripped or HTML encoded before display. Using Sql: Enforce using character whitelist to prevent sql injection. Perform important application functionality: proper session validation(Authentication) object access checking(Authorization)
Consider using existing frameworks Well known issues already addressed Saves development time Bug fixes can be applied in central location as opposed to multiple.
Java validation Library for java Xwork validator for java struts JSTL for JSP Anti-Xss library for microsoft.NET
Create best practices document outlining how to address risky tasks Short training course Q & A sessions to address concerns of dev. Team Emphasize code management advantages and security checking consistency
Time savings essential for developer acceptance. Initially adds to development time. Management and future code audits easier.
Enforce utilization of framework a project requirement with consequence for failure to implement without a good reason. Else developers treat as optional step
The business case for security frameworks By Robert Auger http://www.webappsec.org/projects/articles/ 042307.shtml http://www.webappsec.org/projects/articles/ 042307.shtml The Cross Site Scripting (XSS) FAQ http://www.cgisecurity.com/articles/xss- faq.shtml