Developers and IT security professionals have always been treated as two mutually exclusive groups by organizations, typically. Considering the amount of cyber-related leaks, hacks and privacy concerns of the modern information age, bridging this gap is of utmost importance. Integrating security into the development process from the ideation stage is paramount for the success of technology. In this blog post, we’ll discuss some common security concepts that developers can implement in their applications to protect their customers and data.
Method 1: Input validation
Input validation on a server or even client-side is done to prevent malformed inputs that can lead to attacks such as SQL injections and cross-site scripting. Since applications obtain data from various sources both trusted and untrusted, it is important to validate the data before it gains entry into the application’s workflow. Input validation is one of the most common and basic security implementations that most modern applications use.
a) Syntactic and semantic validation
Validation of data can be done both syntactically and semantically. Syntactic validation is basically checking data syntax to ensure that data has the correct structure, data type, length etc. Semantic validation ensures correctness of the data and whether it aligns with business logic. For example, checking if prices have been wrongfully entered as negative is semantic validation.
b) Blacklisting and whitelisting
Blacklisting involves detecting dangerous characters, patterns and filtering them out. This process isn’t foolproof and is relatively easy to bypass because the blacklist requires new attack vectors to be added to the list. It’s not the greatest way of validating data because of how difficult it is to manage.
Whitelisting involves defining a set of approved characters and patterns. Here you’re enforcing characters and patterns form a defined set. Hence it is a stronger approach for input validation that blacklisting.
Method 2: Output encoding
Many security professionals recommend output validation as well. Encoding output data before sending it to the target interpreter adds another layer of security. Here the encoding is done by converting special characters executed by the target interpreter into an equivalent language for the interpreter to understand. Web browsers use this method of security by using HTML encoded responses, therefore preventing browsers from executing script tags and preventing potential XSS attacks.
Method 3: Database access
Applications that access databases to either retrieve or store information are open to potential SQL injection attacks. Parameterized queries can help the database distinguish between application code and data, unlike dynamic SQL queries. Another way to prevent SQL injection attacks is to make use of stored procedures, which are essentially SQL statements that are defined and stored in the database. However, developers should be wary of using unsafe dynamic SQL queries inside the stored procedure. And finally, managing user privileges accurately is also very important. The less permissions a user has, the less damage they can do to digital assets, compartmentalizing damage if the account is compromised.
Method 4: Use cryptography
Here a few common cryptography essentials that you should be familiar with:
- Only use cryptographic algorithms that are widely accepted by the cryptography community.
- Apply strong encryption algorithms like AES and avoid using weaker algorithms like DES and RC4.
- Implement secure hashing algorithms like SHA-2 and SHA-3 instead of using the insecure algorithms SHA-1 and MD5.
- Adopt a strong encryption key with a length of 128 bits or higher.
- Use cryptographically secure pseudorandom number generators (CSPRNG).
- Use strong password hashing functions like PBKDF2, bcrypt, and scrypt.
Method 5: Secure error handling
Make sure that the error handling in the application is implemented properly. Improper error handling may lead to two issues:
- Information leakage. If error messages containing stack traces or database dumps are revealed to the user, it may provide insight into potential code vulnerabilities. To prevent this, the application should only display generic error pages to the end user.
- Application enters an unhandled state. Ensure that the application ‘fails securely’ for both expected and unexpected error conditions and that it handles all exceptions properly.