As application security awareness increases, people often wonder how web apps are still insecure. Certain vulnerabilities, such as SQLi and XSS, are almost ubiquitous. These vulnerabilities are able to find their way into web applications due to lack of education, the absence or negligence of security in the software development life cycle (SDLC), and due to the difficulty of development. Let’s examine these web app security issues a bit closer.
Most universities are not vocational schools. Computer science courses are not about teaching students how to develop software. The courses give students the fundamentals needed to understand the theory and application of computer science. Unfortunately, this means students can go through their entire educational careers without ever touching on security.
Also, students visit sites like stackoverflow.com to get help with their projects. While Stack Overflow is a very useful tool, it can also be dangerous. Take this Stack Overflow post for example. The top answer shows how to use prepared statements for the SQL statement as seen in Figure 1.
While this answer is the best, it can be difficult to understand. The next two answers are much simpler to understand but open up the possibility for SQLi as seen in Figure 2.
However, universities have started noticing the increase in cyber crime. This leads me to believe that application security discussions are becoming more common within university-level courses. In addition to discussions, universities are beginning to offer courses that are exclusively about security. Unfortunately, these courses are not always required to graduate.
With the next generation of application developers being exposed to security earlier in their careers, it will be easier for them to incorporate security into the SDLC.
The standard SDLC has six phases:
Unfortunately, it doesn’t explicitly include security anywhere. This makes it seem like security isn’t part of the SDLC. However, security should be included in every single phase.
Project managers gathering the requirements are responsible for ensuring that the requirements don’t weaken the application’s security posture. The development team that designs the application needs to ensure that they don’t introduce design flaws into the application. Also, they need to ensure their implementation of the application doesn’t introduce vulnerabilities. QA is responsible for finding any bugs introduced in the implementation phase. The DevOps and System Admins deploying the application are responsible for the security posture of the application’s infrastructure. Finally, the maintenance is a combined effort from all teams to ensure any vulnerabilities that made it through the SDLC are patched out.
Development is really easy when your application’s code fits on one screen. This lets you see all your logic in one spot and tracing through the code is simple.
Web applications are not that small. Due to the large size of these commercial applications, introducing vulnerabilities is easy. Since developers cannot keep the entire code base in their head, a change in one module can open up an attack vector in another part of the application.
Additionally, there are countless frameworks for developing web applications. Some of them require developers to know multiple languages in order to work with them. This adds to the difficulty because now developers need to know secure coding practices in several languages.
Due to lack of education, security missing in the SDLC, and the difficulty of development, we are still seeing vulnerable web applications. However, now that we’re beginning to see security knowledge in education curriculum, developers are being exposed to these concepts sooner. Thus, they are able to include security into the SDLC, making it a habit in their career. This doesn’t mean web apps will stop having vulnerabilities, but it does mean that we will see less vulnerabilities in the future!