Software security flaws begin and end with Web application security

According to a recent report published by the Common Vulnerabilities and Exposures (CVE) project, flaws in Web software are among the most reported security issues so far this year. It's easy to see why. After all, hackers are

    Requires Free Membership to View

known to search for an easy target. Poorly configured or written Web applications are not only an easy target, taking the attacker straight to their goal -- data, and lots of it -- but also can be used to spread malware to anyone else who visits the compromised site.

Sadly, the increase in such flawed applications indicates many developers, or the organizations that they work for, do not fully appreciate the environment in which their applications run or the languages used to create them.

An education issue?
"Easy to learn" scripting languages enable anyone with an eye for graphic design to develop and code powerful Web-based applications. Unfortunately, many developers only bother to learn the eye-catching features of a language and not the security issues that need to be addressed. Also, many of the introductory books on coding fail to discuss security. And, as a result, many of the same vulnerabilities that were problematic for developers several years ago remain a problem today. This is perhaps why cross-site scripting (XSS) is now the most common type of application layer attack, while buffer overflow vulnerabilities, the perennial No. 1, has dropped to fourth place. Two other Web application vulnerabilities, SQL injection and PHP remote file inclusion, take second and third spots.

Mitigating Web application flaws
Fortunately, many risks and remedies overlap. Fixing one problem will more than likely fix another. For example, let's look at some of my best practices for thwarting SQL injection attacks:

  • Assume all data that the application handles is from an untrusted source.


  • Validate all received data for type, length, format and range.


  • Only process data that is deemed valid and reject everything else.


  • Validate data using a trusted server or application.


  • Use parameterized queries and stored procedures.


  • Handle errors without divulging system information.

Now, implementing these recommendations will also help combat cross-site scripting attacks. One measure developers should adopt particularly to prevent XSS, is to encode input data. Encoding transforms potentially dangerous characters into their display equivalents by using character entity references. For example <script> becomes

 <script>.For encoding to be effective, developers should explicitly fix the character set of every Web page. I would also implement a session expiry policy whereby users who don't interact with your site for a period of time are logged out. With this policy, any cookies are destroyed and not just left to expire. 

More on Web application security

Distribute this secure coding  checklist to your developers.

Review these guidelines for Web application development best practices.

The PHP remote file-inclusion vulnerability can also be tackled by checking user input combined with the file_exists() function. This function cannot check remote files, and this allows you to first verify whether an included file exists on your local file system.
As you can see, most vulnerabilities arise when user input is not properly checked. If you are in charge of Web development, ensure that all data is filtered, validated, and encoded before using it in your scripts, data access routines and SQL queries.
About the author:
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity.com's Messaging Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

This was first published in November 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.