Developers need to work on creating strong designs for Web applications by rethinking their coding practices and the process in place to fix bugs, according to Mike Shema, director of engineering at Qualys, Inc. in Redwood City, Calif.
There's a lot of developers that aren't aware of security or don't realize they are repeating mistakes.
Mike Shema, director of engineering, Qualys, Inc.
If a Web application has design flaws, they end up becoming weaknesses in the finished product, Shema said, and those weaknesses are easily exploited by attackers.
"There's a lot of developers that aren't aware of security or don't realize they are repeating mistakes," he said.
Shema addresses these issues and more in his new book, Hacking Web Apps, published last month. He said that learning about design problems that cause insecurities helps developers and security teams avoid future issues.
"The focus is really on the main vulnerabilities and threats of Web apps, so that developers can look at those and think about how they will affect the app," Shema said of his book in an interview with SearchSecurity.com.
Shema called string concatenation, a common coding practice of linking together separate items side-by-side to save space, suspicious and advocated for developers to find other ways of coding.
"Sometimes there's a better way to build the code: prepared statements and SQL; [and] sometimes you have to come up with a better way: define a programming style that requires or forbids certain functions and use style checkers to look for misuses," he said.
When fixing bugs, developers should look for similar patterns or usage elsewhere in the code instead of just fixing the page where the bug was found. Addressing a fundamental problem revealed by a bug helps avoid repeating mistakes, Shema said.
Many of the threats that design flaws can lead to have been the same for the last 15 years, Shema said. Two of the most obtrusive threats are cross-site scripting (XSS) and SQL injection (SQLi). These attacks continue to dominate the Web application threat landscape. In the WhiteHat Security Website Statistics Report (.pdf) for summer 2012, XSS was the most prevalent type of attack, with a 55% likelihood of at least one security vulnerability on a website.
"The complexity and volume, just the massive number of sites out there is the reason why it still exists," Shema said of XSS.
Hacking Web Apps also provides hints on what to look for and coding countermeasures developers can use. Additionally, Shema said it covers cross-site request forgery, clickjacking, breaking authentication schemes and more.
Shema is the author of other web security books, including 2010's Seven Deadliest Web Application Attacks. He called Hacking Web Apps an expansion of his previous book and named HTML5 as one of the incentives for diving into an otherwise stagnant sector.
"HTML5 has a lot of new things to look at," Shema said.
Although some security experts believe HTML5 is the future landscape of Web application threats, Shema refutes that idea.
"It's absolutely not a liability. If a hacker can break in with cross-site scripting (XSS), HTML5 is pretty cool because you can make a really cool exploit kit….the payloads can be a lot cooler and a lot stronger," Shema acknowledged. "But HTML5 has a lot going for it with security measures."
Those security measures include: cross origin resource sharing, which Shema says is a way to set up trust between domains for sharing content and let developers do what they want with a design while still retaining some security; content security policy, a companion to HTML5 that gives developers a way to make the same origin policy more granular; and the x-frame-options header that prevents clickjacking.
For now, Shema said it's important for doubters to remember that HTML5 is still being developed.
"There are always going to be bugs, but bugs get fixed," he said. "It's not a fundamental design problem of HTML5. [Bugs] are just hiccups along the way."