Feb 20, 2002 (07:02 PM EST)
Stop Cyberattacks Before They Can Start
Read the Original Article at InformationWeek
Corporate systems are increasingly at risk of cyberattacks that target particular vulnerabilities in E-commerce applications, be they commercial or custom-developed software. Many of these security holes stem from the way the applications are designed, according to a new study by security consulting firm @stake Inc. The firm was asked by clients in the financial, telecommunications, software, energy, and electronics industries to review their enterprise applications and assess their security vulnerabilities.
Corporate perimeters are rapidly dissolving and Internet-facing applications are proliferating, says Andrew Jaquith, @stake program director and an author of the study, which was conducted over the past year and a half. E-commerce applications are driving business innovation and companies are increasingly relying on these systems to carry out trading activities within and between corporate boundaries. The need for rigorous application security is of the utmost importance, Jaquith says.
The firm identified nine common classes of security flaws, including inadequate access controls and authentication features built into applications; lack of user session security; and an overreliance by programmers on client-side validation to establish trust between two entities communicating over the Internet.
So what's the solution? Jaquith notes that software developers must embrace more rigorous software engineering and security design practices. This includes placing emphasis on authentication and authorization methods early in the design phase; implementing mechanisms to validate user input; end-to-end session encryption; and safe data-handling practices. Many developers have a habit of implementing administrative back-doors in applications to let them gain access to the application once it's been deployed, a practice that Jaquith says must stop. In addition, developers must implement quality-assurance checks to ensure an application is safe from breaches once it's been deployed.