One Day, It Dawns on You…
Let’s say you’ve developed code for awhile. If a Project Manager, business partner, boss, or someone else with requirements comes to you, you can convert their business-speak into technical requirements. You can turn those requirements into an application that gets the job done. Customers love the results of your labor! As the accolades roll in, you’re probably feeling pretty confident.
Then you read an article like this one in CSO Online that says 736 million data records were exposed in 2015. Troubled, you put your developers skills to work and look for a solid, technically-recognized reference to explain how your baby might be vulnerable. You find Verizon’s 2015 report called 2015 Data Breach Investigations Report. You read. And you read.
And you read.
You study the charts. You match your business’ profile against the ones in the report.
You set the report aside, realizing that it’s good high-level data, but you need something more concrete. You find the SANS Securing Web Application Technology (SWAT) Checklist. It has seven sections and a total of 58 individual entries. The picture’s getting clearer; it’s good description, but few code examples, and some terminology may be unfamiliar.
Undaunted, you cast around for something more focused and helpful for you as a developer. You come upon the Open Web Application Security Project (OWASP)’s Top 10 Vulnerabilities. Finally! A resource designed specifically for developers! There are some actual code examples! But after more review, some of the examples are aging or refer to products that aren’t being updated. Or the examples aren’t in a language that you are using.
If the data’s there, it’s not in a form that’s easy to get ahold of.
So, after hours of careful deliberation and research, you come to the conclusion:
Crap. I’m doomed.
If some of the biggest companies in the world can’t keep their data safe…
If even some nation-states can’t protect themselves…
If the leading industry solution providers don’t have something that’s easy to consume…
Yet your application still needs to run on the internet…
What can you do?
The Truth Is… Well, You Know!
It’s out there (the truth, that is).
You know why validating data’s important for your application, right? You wouldn’t let someone enter a negative dollar amount in a gambling game. You wouldn’t let someone enter “99/aa/0998af” as a birth date. You wouldn’t let someone upload an EXE file instead of a JPG. You wouldn’t do these things because you feel responsible for protecting the data that comes into your application, right? You know that the wrong data results in the wrong outputs. And that makes customers unhappy.
At its essence, that’s security.
The data’s out there. It’s just not packaged for quick consumption — which is what you as a developer need.
Coding Your Way to a Better Tomorrow
If you know how to code, you can make your applications more secure.
And how to we do that?
It’s cliche, but one module/class/servlet at a time.
In the coming months, I’m going to share what I’ve learned after decades of coding for various companies representing financial and other well-regulated industries. I’ll give you examples that you can copy and paste into your code — or that demonstrate the basic concepts so you rework the example according to your needs. I’ll cover both Java and PHP. I’ll release the example code under the BSD 2-Clause License, which should give you maximum flexibility and freedom.
In other words, I want to give you tools to help you secure your code so your customers are happier, your boss is happier, and you can sleep better at night knowing you’ve done your best to secure your code.
You’ll add security to your perspective without even thinking of it as security. You’ll be back to converting requirements to your usually amazing applications. Only this time, you’ll know how to avoid the weaknesses that landed many companies in Verizon’s report. Will your code be unassailable? Good heavens, no! But it will be better. And not only better at a specific point in time: you’ll understand how to keep it as secure as is reasonably possible over the long haul.
Watch for the curriculum outline and some sample training videos/articles in the coming months!
by Terrance A. Crow
Terrance has been writing professionally since the late 1990s — yes, he’s been writing since the last century! Though he started writing about programming techniques and security for Lotus Notes Domino, he went on to write about Microsoft technologies like SQL Server, ActiveX Data Objects, and C#. He now focuses on application security for professional developers because… Well, you’ve watched the news. You know why!