Secure coding is often an afterthought

Viewing 4 reply threads
  • Author
    Posts
    • #5919
      mchugh48
      Participant

      Application Security is designed to keep your users data/information secure
      from being read  slolen, or destroyed by malicous people and processes. Security cannot be added as an afterthought, it must be built and restitant to attack. There is usually a big push to get an application out the door and devilered and it takes some strong persusion to build in security from the start. What ways are others out there using to persuade business and government to build in secure coding. Sometimes , I have noticed that using FUD – Fear Uncertainty and Doubt can be effective, but that should really be necessasary.
      Tell me what you think!

    • #37082
      caissyd
      Participant

      Hi mchugh48 and welcome to the forum!

      I have faced this dilemma many times. Here is what I have done:

      1) Build a presentation showing how to add security to  every step of the SDLC (Software Development Life Cycle). I focus on cost reduction by “thinking” about security in the early stage;

      2) Show them how, by implementing security into the development framework, we could same a lot of $$$ on subsequent projects. For example, creating a solid filter for user input in web applications could easily be reused by all other projects using the same platform.

      3) Security training for developpers. I personally do free “Lunch and hack” sessions at work about twice a month. In these sessions, I will talk about a single topic, for example SQLi, demonstrating an attack or two and showing them how to protect themself. This is also a great way for me to make them aware of my skills  (Hey, I am a contractor ;))

      4) If you end up finding vulnerabilities before the system goes in production, talk to management about how this costly mistake could have been easily avoided by doing xyz earlier.

      I hope this can help you.

    • #37083
      Anquilas
      Participant

      Interesting starting points, I’m hoping to install similar habits where I work one day.

      Question: do you get a lot of response on those ‘Lunch and hack’ sessions? I’m curious to see what amount of developers can actually be intrigued by these topics.

    • #37084
      Empires89
      Participant

      Security is a huge part of every infrastructure and application project. It can’t just be ignored or weakly implemented. This results in major losses down the road, and is more costly. What happens when your application or project has a security flaw or is exploited? You lose customers, you lose money, you lose trust, and your reputation is ruined. Surely the cost of a little prevention is worth it.

      I can’t say I’ve ever dealt with a project that had an unreasonable time frame for completion. When my boss once demanded I setup a web-based application with an unreasonable time frame I flat out told him “No.” I implemented basic filtering and network/firewall restrictions on this web-based system. Lo and behold, a couple months later, the application’s programmers found a flaw that allowed crackers to access the admin panel and steal user data. Since I implemented restrictions on our server I saved us from being cracked and having our customers be exploited.

      Speak money to a company and they’ll usually listen. Tell them that making security a focal point in the beginning often reduces the chance of exploits. Like H1t said, sometime you can make a security application that can be used in several different projects, and that saves a lot of time and money.

    • #37085
      caissyd
      Participant

      I agree with Empires89!

      To answer Synquell question: I get a very, very good response from people for my “Lunch and Hack”. But it needs to be really interesting. They don’t want to study like us…

      I found that doing a “real” demo, like scanning their own machines or querying the whois database for the company info interests them a lot. But strangely, hacking a web server on a VM on my laptop gets much less interest. Go figure! It needs to be visual and entertaining.

      I guess it’s like a magicien show. Who cares about what is the trick, we want to be blown away!

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?