Whether you are a developer and/or just a normal user, if I ask you: What is a good software? What are the first thoughts that come to your mind? “Easy to use”, “Fast”, “Easy to update”. Am I right? Well, you probably thought about these ones because they are easy to spot, if a software is slow to perform a task or the “send” button is nowhere to be found, anyone can noticed that, but what about security? Can you tell if a software is secure and no one can hack it?
According to the OWASP, these are The Ten Most Critical Web Application Security Risks.
- (SQL/Command) Injection;
- Broken Authentication and Session Management;
- Cross-Site Scripting (XSS);
- Insecure Direct Object References;
- Security Misconfiguration;
- Sensitive Data Exposure;
- Missing Function Level Access Control;
- Cross-Site Request Forgery (CSRF);
- Using Known Vulnerable Components;
- Unvalidated Redirects and Forwards;
Now, I have to ask you one more question, how many of the above list do you know? One? Two? All of them, seriously?
Well, SQL Injection is quite famous and one thing that really bothers me is that if this vulnerability and its solution are known by the developers, why is it still out there in a quite number of applications?
What are the reasons in your opinion:
- Architects/Developers don’t care about security vulnerabilities?
- Architects/Developers don’t know about security vulnerabilities?
- It does not exist good tools to help developers find and fix security vulnerabilities?
- The deadlines are to blame?
Which of these do you think is right? Just one? More than one? I would love to read your input on that.
Okay, this was just an introduction to the topic, now we move on to the main question: Should these vulnerabilities be early detected?
Imagine that you are developing a software and after 6 months you are ready to deploy it, but just before that, you decide to hire a hacker to check if your software is secure, the hacker comes in and after 5 minutes gives you a list with 200 problems divided into 10 categories (such as the OWASP Top 10). And now? Do you cry? Do you start from scratch? What can you do…
What if during the development you could have had some help that could have avoided all this waste of time and money, I believe it would have been great, no?!
Searching the Internet I found a few plugins for Eclipse (the IDE I use) that can really help on this topic, these plugin are:
- FindBugs (Free)- http://findbugs.sourceforge.net/index.html
- Lapse (Free) – https://code.google.com/p/lapse-plus/wiki/lapse_plus
- CodePro (Free) – https://developers.google.com/java-dev-tools/codepro/doc/
- Fortify ($$) – http://www.fortity.com/
- CodeProfiler ($$) – http://www.codeprofilers.com/
These plugins are cool, they analyze your code and generate a report with all the vulnerabilities found in it, but in order to give you the report they have to analyze your finalized code, in other words, you have already spent a long time developing it and if there are vulnerabilities you will have to redo your work. The thing that would make these plugins out of this world would be to analyze the code during the development, so once you make a mistake it would give you a warning and you could fix the problem immediately.
My main idea with this post is to spread the word, to tell you that usability, efficiency and others are important but security is important as well.
What about you guys, do you use any of these or other tools to ensure your code is secure, or you just don’t care?
Thank you for your time and feel free to leave any comments or questions.