To help avoid common programming errors when building a Web-based app, IT leaders shouldn’t be afraid to scale back on features, according to Info-Tech Research Group Ltd.
“If you have a limited budget, make sure some proportion of it is allocated to considering security, another portion to the usability of the product, and so on,” said Howard Kiewe, a senior research analyst with the London, Ont.-based consultancy. “Don’t allocate all your time and money to the features of the project.”
For Kiewe, cutting back on features leads to a simpler application, which makes it a lot easier to use and secure. A narrow feature list can force you to prioritize and focus on what’s really important and deliver business value in the process, he added
And while avoiding “feature overload” during application development is one of the most important measures to preventing troublesome programming mistakes, another overlooked area is the lack of security planning in the architecture and implementation stage.
“Security needs to be something that you consider when you’re designing the application,” said Kiewe, adding that the development of coding standards and processes in the early stages will give the programmers a good baseline during the rest of the process.
Thinking about security at the beginning of the app lifecycle will also limit the frequency of dangerous programming errors. For example, to avoid incorrect permission assignment during the architecture and design phase, programmers can simply divide an application into different security log-ins, such as anonymous, normal, or privileged.
“That needs to be designed initially because this will determine the nature of your data structure,” Kiewe said. “Let’s say there are functions that can only be accessed by somebody with administrator level privileges, there are functions that are read-only that the whole world can view, and there are another set that return data to internal employees only. “
“This needs to be thought out during the implementation phase, so a programmer can say, ‘This shouldn’t be accessible to anybody except those with administrative privileges’ and so on,” he added.
Kiewe said a common mistake for companies is to overlook security at the design and implementation stages and begin the process after the application is completed and in testing.
“It’s almost as if companies go about it backwards,” he said. “The process is, ‘We need to do security so let’s test the application, find out if there’s any issues, and work backwards to make changes at the code level.’”
Another common, but avoidable, programming error can occur when Web or network-driven software saves critical state data in a vulnerable location, including a stored cookie or database record. In this instance, according to Kiewe, an attacker can gain access to state data related to end-user authentication and access restricted data.
By implementing complementary security checks in client and server environments, he added, even if an attacker gains access to client-side state data, they will be exposed during the subsequent server-side check.
Companies can deal with every entry on the CWE/SANS Top 25 Most Dangerous Programming Errors list, Kiewe said, if IT leaders make it a point to address security at the beginning of any new application development project.
