Poor coding practices, particularly the lack of validation, are leaving many South African Web sites vulnerable to malicious hack attacks, say local security practitioners.
"The vulnerability to an attack, such as SQL injection, is because of laziness. Developers do not validate their code and this allows hackers to bypass the security systems and access the central mechanisms of the Web site," says Ricky Malgalhaes, director of Fastennet Security.
Malgalhaes showed ITWeb how easy it is for an SQL injection attack to be perpetrated on a number of local corporate Web sites. These attacks included accessing databases, changing content on the Web sites and finding users` log-in details. A prominent auditing firm`s site was among the SA Web sites accessed.
"Validation is the process by which code is run against the database and executed," Malgalhaes says.
Sites that are particularly vulnerable to SQL injection are those with the .asp suffix. They can be easily found by simply doing a Google search with the query "login.asp". If the code has not been validated then the injection process can be used to make an unauthorised entry of the site and view information, he says.
Lack of procedure
Karel Rode, business technologist with Computer Associates says a major reason for the lack of validation is due to the "new" ways in code writing.
"Programmers often merely access libraries of code and package it to create an application. The validation process then falls between the cracks. This includes failing to remove templates and tools before placing the application into production," he says.
Mervin Pearce, a director with international IT security organisation (ISC)2, also blames the lack of self-assessment for the continuing vulnerabilities.
"People are not doing the penetration tests after every change has been done," he says.
Pearce says while many South African institutions do have sound documentation and policies in place for coding, there is often a gap between this and actually monitoring what is being done.
"In the US, a person can actually go to jail for not observing governance rules. While in SA it is merely frowned upon," he says.
Share