The recent spate of SQL injection attacks on corporate databases internationally should ring a warning bell to South African companies that leave security as an afterthought in their application development processes.
In fact, it could only be a matter of time before hackers start turning their attention to local systems if large local companies are not adequately prepared.
Apart from SQL injection attacks, hackers typically make use of buffer overruns, cross-site scripting and bad error handling to exploit confidential corporate information or gain access to Web sites.
An SQL injection attack executes malicious SQL commands by taking advantage of insecure code to attack database-driven Web sites. The increased risk of these kinds of attacks is largely due to the availability of automated tools for hackers.
Buffer overruns are one of the first attacks used by hackers to probe the security of a site. If developers have not put sufficient validation around a Web site field, the hacker may be able to corrupt the application, enabling him to access business data. This also causes many application problems down the line.
Using cross-site scripting, hackers test whether application servers are validating scripts effectively. If not, they can then send malicious scripts into an organisation's Web browser. For example, they can introduce a pop-up user block, requesting confidential information from the user. The user believes he is interacting with the site, but is in fact giving information away.
If an application handles errors badly, instead of responding to a bad field entry with a meaningful error message, it may simply give an automated error message revealing corporate code.
Historically, the IT skills shortage in the local market has forced many developers to concentrate less on building security into their applications and systems right from the start. Developers simply do not have as much time as hackers do. Sufficient time is needed during application development to ensure excellent security at every phase of development.
In addition, development and testing is still performed on production data, despite Basel II's recommendations forbidding it. Developers are also often against implementing too much security as, in general, the more secure an application, the more difficult it is to use. However, when applications are easy to use, there are often many security gaps to be exploited.
Around 8 000 SQL injection attacks occur worldwide every day and with losses running into the hundreds of millions of dollars, it is apparent that hacking is here to stay.
Catherine De Klerk, automated software quality consultant at Compuware SA.
Security weaknesses can expose a company's critical data to attack or theft. Simple problems such as insufficient error handling consistently reveal the weaknesses apparent in many systems in the local market.
These problems are aggravated by the availability of hacking tools which aid hackers in producing SQL scripts to steal or delete data. It takes far less skill to attack a database today than it did five years ago and the problem is only going to get worse.
Instead of despairing, developers need to understand the tools on the market that can help, and must ensure security is top of mind right from the beginning of any application development project. They must already be thinking security at the requirements analysis stage.
Security needs to be enforced at the application layer using specialised tools designed to analyse vulnerabilities and the error handling capabilities of the application as well as tools to generate test data instead of using actual production data.
By automating many of these steps, developers can concentrate on building better applications while ensuring that security remains a fundamental part of the development cycle.
Around 8 000 SQL injection attacks occur worldwide every day and with losses running into the hundreds of millions of dollars, it is apparent that hacking is here to stay.
We have already seen the early signs of security threats locally with major banks reporting breaches. It is not enough simply to tell clients to update their anti-virus programs while unsecured applications continue to exist on the sites of major banks, financial companies and other large corporations. We need to stop paying lip service to security and start making it a critical part of the development process.
* Catherine De Klerk is automated software quality consultant at Compuware SA.
Share