Many developers don't fully understand the implications of releasing unsecured applications, leaving unsuspecting users at risk of being compromised.
Before an application is released, it should go through an in-depth code review, attempting to mitigate risks in the program. This critical step is often skipped due to time restraints, or lack of training in terms of writing secure code. It is often the case that critical, headline developers do not fully understand the security risks they are faced with when developing applications.
Faced with several issues in the previous months with clients' development teams, I have come to realise that many developers are forced to release a product without checking for severe and critical security issues, as they believe their job is just to create an application that's functional, not secure.
After discussions, it is also understandable that many developers are pushed for deadlines and aren't able to perform all tests required to fully secure an application.
I have been faced with many issues like this in the last few months. One such example is when I discovered a blatant security issue in a Web application during a routine assessment. This vulnerability existed on an extremely high profile Web site. The developers of the Web application and site then claimed they should not be held responsible for the bad coding and vulnerabilities on the high profile Web site - as they said they never claimed to be "security experts", just developers. This vulnerability left not only the client extremely vulnerable to attack but also a large amount of the South African users, ie the public were at risk.
Begin fuzzing
It should be expected that when buying a product it will be secure as possible, conforming to specific industry standards - not vulnerable to issues which were known up to seven years ago. What if a mechanic built cars like a developer coded? Buying unsecured software is like buying a car without any safety features, or safety features which have proved to be unreliable in the past. The technology is there but is not being used or implemented correctly.
Time after time many developers assume an application is not vulnerable to attack and won't be cracked just because the source is not viewable, or they have limited specific words in context to limit attacks. This by no means makes an application secure.
With techniques like fuzzing (a method for detecting defects in a program, whereby random data is sent to the inputs of a program) a specific program can be cracked in a short time. Developers should also be making use of these techniques to check if their applications are secure. They are free, easy to run and fast - but more often developers don't make use of these tools and techniques before releasing a critical project.
These days many universities still don't include secure programming in their curricula. So it is important that developers seek more information on securely developing software and know the emerging security trends. There are many papers freely available on the Internet which can be recommended for interested developers.
Set the standard
I estimate that in SA, around 70% to 90% of high profile sites running locally-developed Web applications are still vulnerable to some form of attack.
Dino Covotsos is the founder and CEO of Telspace Systems.
It is hard to be sure if an application or program purchased from a third party is "secure". To be a little more confident with application security, ask the developers if they take security into consideration when developing software.
If still in doubt, ask someone else who has a good understanding of security in development to take a look at it, obviously providing a full application assessment before making a large investment.
I estimate that in SA, around 70% to 90% of high profile sites running locally-developed Web applications are still vulnerable to some form of attack. I welcome any large company to test the theory. This is unacceptable, as so much more can be done in order to have a greater security standard.
Companies whose Web sites host confidential information must be aware of the possible security issues on the site. It is also imperative that before providing a Web site with personal information, users trust they are as secure as possible and have had security audits on the applications that are utilised. People are losing their personal information daily due to attackers who break into insecure Web sites and harvest their details. The market for this information is very large, and extremely viable for any criminal wanting to make a quick buck.
In the future, I hope to see a greater awareness of security issues among developers, including how to remediate such issues for future applications.
* Dino Covotsos is the founder and CEO of Telspace Systems.
Share