Article: Taking a Wider View of Code SecuritySep 20th, 2009 | By Karl Rohde | Category: Article, Examples
“Modern web applications are reliable and secure”
Security. It’s a common component of marketing material coming from companies that sell web based solutions.
That is the perception that most technology companies like to present to their prospects and existing clients. However, this perception may not be entirely valid. Is your company misleading your prospects and clients?
It is estimated that there are close to 500,000 sites with currently undetected source code vulnerabilities. Many of these vulnerabilities are potentially devastating for the business owner. That spells potential liability for you, the service provider.
Do you remember the first time your development team had released code that was not quite up to standard? What was the client’s reaction? Did they even know? Worse still, did it involve your attorney?
You’re not alone, most web development firms, be they SaaS based products or bespoke development, will release insecure code at some stage. Compared to general logical or functional bugs, the issues around web application security are far more subtle. The repercussions can be more far reaching as well.
At a high level, you may have any of the following to audit:
- Authorization and Authentication
- Command Execution
- Cross Site Scripting
- File Access
- SQL Injection
- Stored Cross Site Scripting
Can your development team really cover off all of these manually?
Putting in place a strict regime of testing, which includes a degree of automated testing will mitigate your risk of releasing insecure code. The best option is a third party tool.
It is pretty critical that you introduce this form of testing into your quality assurance program. As web based applications become more complex, and your source code base grows in size, manually auditing the code base becomes prohibitively resource intensive.
The big question is what happens when your manual audit fails. Note, that is when, not if. An automated software tool is your best bet for consistent results.It never gets tired, never has a hangover, and is not having a bad day.
Can you afford to not have a tool scanning for source code vulnerabilities in your quality assurance process?