Are you missing the obvious security checks while developing Web Applications?

Introduction

Developing a cool website or software running over internet is no big deal, there are plethora of resources available to build a stunning website or software enabled by web. Today, everything we do is assisted by internet enabled software be it e-commerce, banking, education, healthcare to automobiles to name a few. The tools and technologies to build these applications can  be different having different features but the end user is not aware of protocol or rules to be followed which the developer community is aware and this can lead to a condition where the developer assumes that end user will use it as the developer intends and the ill fated community takes advantage of it to exploit the resources that are provided by internet enabled applications. Today, we will look at some of the areas where developer community when emphasize on security aspects can lead to more secure software over web.

Having Security Testing in your Test Strategy

Developer knows that the code works and is tested for functionality and the performance but data and reach of the software over internet needs through thought for protection from unintended use. To enable this it's important to have security testing in test plan. Software development is moving agile and becoming more fast paced but the fast paced development leads to more vulnerabilities which intruders can exploit. Some of the examples like using default settings, default credentials for resources, leaving sensitive data unencrypted etc... No doubt we need faster development but without compromising security and non functional aspects of software. Devising a strategy for security testing is unavoidable and is must for any size organization may it be software developed for single user or bigger organizations.

Tips for enhancing Software Security

Validating the Code

HTML when improperly coded will not render correctly on browser. HTML whether its hand coded, generated by other software can be errorporne so should always be validated in accordance with its standard.

Making use of automated tests for invalid or negative test

• Positive tests can be few but there is larger effort required for testing with invalid data or performing negative tests. Automated tests should be designed to perform the same and thus test the client and server ability to deal with invalid data

Making Judicious use of Web Controls

• Only required information should be displayed on web-page
• Un-authorized automated tools should not be able to gather information from web controls
• There should not be any vulnerabilities in web controls like empty anchors 

Check for unauthorised access

While sharing data over internet check the following:

• Only the intended users have the access to data
• Sensitive information should be encrypted
• Blocking access to unused ports
• Server-Side and user data should be isolated such that other applications or operators don't get unauthorized access
• POST method to be used to send form information instead of GET method 

Testing for Client Side and Server side code

Server side code is more structured and easier to test, but client side code has many parts and should be tested for and should suppress generation of invalid request to server and vice versa. This can be tested by injecting invalid data in HTML in between the two sides and testing how they react.

Testing timing Related Issues 

Varying the network speed and testing the application, this can capture the timing related issues and enable fixing those issues.

Emphasis on Design rather Implementation

Brooks termed object-oriented (O-O) programming a "brass bullet" in his "'No Silver Bullet' Refired" reflection, since it promises to allow programmers to build with bigger pieces. Brooks considered why O-O hasn't been a silver bullet and shared an excerpt from correspondence with Parnas:

"The answer is simple. It is because [O-O] has been tied to a variety of complex languages. Instead of teaching people that O-O is a type of design, and giving them design principles, people have taught that O-O is the use of a particular tool. We can write good or bad programs with any tool. Unless we teach people how to design, the languages matter very little. The result is that people do bad designs with these languages and get very little value from them. If the value is small, it won't catch on."

Changing the Browser Settings & using different browsers

Checking the web application works seamlessly and securely on multiple browsers and on changing settings on browser like turning on and off between scripts, plugins and extensions etc..

Tools for Security Testing

A lot of in house tools should be developed keeping in mind the security. However there are few online resources available that the developer community can take advantage of.

 

Understanding & Educating user about it's Safety 

Developers are tech savvy, but the way internet has penetrated in our everyday life is unbelievable. There is no way going back from here. The speed at which it has penetrated provides the testimony that it's pros outweighs its cons. However its the responsibility of the creators, developers and end users combined to help each other in surfing through this endeavour. End users should be aware of and should have access to secure and legitimate use of technology in everyday use. This will not only make everyday tasks easier for end users but also enable to improve their quality of life. 

 Conclusion

Developers are human, users are human but software is not human and does not understand if the user is human or some unintended machine stealing the information. It's high time we give more emphasize on security aspect of web applications from developers as well as end users point of view. Today security deserves much more attention than attention given to other aspects of software development processes in the past. The more trustworthy software becomes the more enriching and fulfilling will it become !!