Software Integrity Blog

Author Archive

Apoorva Patankar

apatankar

Apoorva Patankar is a security consultant at Synopsys. She specializes in automated and manual penetration testing of web, mobile, and thick client applications.


Posts by Apoorva Patankar:

 

Security topics every software developer should know

Software developers and information security professionals have almost always been two mutually exclusive groups. However, with the increase in security awareness, developers have started integrating security into the development process. To further bridge the gap between development and security, it is essential for developers to have a good understanding of security principles. In this post, we’ll talk about the basic security concepts that every developer should be aware of while building applications. Topic #1: Input validation An application obtains data from various trusted and untrusted sources during its workflow. It is important to perform input validation of data obtained from all sources to ensure that only properly formed data gains entry into the application workflow. If not properly validated, malformed input can lead to attacks such as SQL injection and cross-site scripting (XSS). Always conduct input validation on the server—even if client-side validation is also present. Syntactic and semantic validation It’s important to validate data both syntactically and semantically. Syntactic validation ensures that the input data has the correct elements such as structure, data type, and length. On the other hand, semantic validation ensures the correctness of data per business logic (e.g., checking for negative price). Blacklisting and whitelisting The two primary approaches for performing input validation are blacklisting and whitelisting. Blacklisting involves detecting dangerous characters and patterns in the input (e.g., an apostrophe character or the <script> tag) and filtering them out. Since blacklisting does not account for all attack vectors, it is relatively easy to bypass these checks and controls. Also, the blacklist needs to be updated every time a new attack vector is discovered. This isn’t very manageable. As such, they should not be used for validating data.

Continue Reading...

Posted in Security Training & Awareness, Software Architecture & Design | Comments Off on Security topics every software developer should know