I recall a project I worked on a few years ago where I was tasked with overseeing the security of a website we were building. When I sat down with the chief programmer I wanted to discuss three types of vulnerabilities with him: cross-site scripting, SQL injection and information leakage. His response was simply, “I don’t know anything about this stuff and I don’t care. That’s your job.”
While other web developers I have worked with aren’t generally so curt in their response, I have noticed that not many of them are aware of the different vulnerabilities that exist when it comes to web site development.
When it comes to websites, WhiteHat Security found some interesting data that should be considered required reading for all web developers. Not to make your job more complicated, but to give you a better understanding of what threats your sites face.
- Most websites were exposed to at least one serious* vulnerability every day of 2010, or nearly so (9–12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall.
- 71% of Education, 58% of Social Networking, and 51% of Retail websites were exposed to a serious* vulnerability every day of 2010.
- During 2010, the average website had 230 serious* vulnerabilities.
- SQL Injection vulnerabilities, despite large numbers of them being found and fixed during 2010, still occurred in 14% of websites.
So what does this mean for the average web developer? That we have to take a good look at the security of our websites because there is a pretty good chance we left an opening somewhere in our site.
Knowing the Threats
Understanding what threats we face when writing code can help establish a foundation that can be used to help protect web sites against attackers. According to WhiteHat, the most prevalent vulnerabilities found in web site code are as follows:
- Information leakage
- Cross-site scripting
- Content spoofing
- Cross-site request forgeries
- Brute force attacks
- Insufficient authorization
- Predicable resource location
- SQL injection
- Session fixation
- Abuse of functionality
Least Secure Language
Knowing what coding languages are the least secure can also help you write more secure code. According to a report that ranked programming languages common to web development and ranked them by the average number of serious vulnerabilities found per site developed in them. The results are:
- Perl – 44.8
- Cold Fusion – 34.3
- PHP – 26.6
- JSP – 25.8
- Microsoft ASP – 25
- Struts DO – 19.9
- Microsoft ASPX – 18.7
Best Practices for Secure Development
Finally, we turn to OWASP for the best practices they recommend for web developer to as guidance on implementing security mechanisms and avoiding vulnerabilities.
- Validate user input
- Use secure authentication services
- Make sure only authorized users can perform actions allowed within their privilege level
- Practice good session management
- Protect your code against attacks from common interpreters
- Protect confidentiality and integrity with cryptography
- Use best practices when it comes to error handling
- Protect the file system
- Make sure your code runs securely out of the box, don’t assume it is the responsibility of the operator to secure it
- Be aware that Web 2.0 technologies also pose security risks
Again, having knowledge of the different types of vulnerabilities that can threaten your code will not make you a security expert. However, having a understanding of what threats you face can help you write more secure code and in the long run, this can certainly make you a valuable asset to any development team.