Software companies spend small fortunes to invest in tools that are designed to make software and web applications a lot safer. However, there is nothing that these tools can do against some of the simplest and most common mistakes that programmers make. Here are the 10 most common mistakes that can result in lapses in the software’s security defense system.
Missing Authentication for Critical Function
Software may unwittingly expose critical functions that can easily be tapped into by attackers if there is no authentication process available. Every critical function should have its own stand-alone authentication system.
Each and every user has to have the right authorization credentials. If these credentials a remising, almost every user will end y with administrator-level privileges; not good news for any software developer.
Nothing good ever comes out of laziness and hard-coding credentials is proof of that. Often used in programs that are being worked upon by multiple developers, hard-coding passwords and other credentials is equivalent to just handing the information over to attackers.
If you have to save important data, including passwords, make sure it is encrypted. Good programmers will ensure that something stringer than 64-bit encryption is used to protect the data. However, even weak encryption is better than storing unencrypted data in plaintext format.
Depending on Untrusted Inputs
During authorization, authentication and other security inputs, programmers have to depend upon inputs that are untrusted. In such a situation, it is very easy to fall victim to an attacker who exploits a programmer’s decision to rely on untrusted input.
Always make sure that user accounts have only the privileges that they need, not all the privileges that they want. If an attacker can gain access to any of the user accounts, it will give him administrative powers if undue privileges are associated with that account.
Having a security system is great, but only if the authorization system works perfectly. In many ways, having a faulty authorization system is worse than having no system at all. An incorrect authorization procedure can provide access for an attacker, while providing you with a false sense of security.
Incorrect Permission Assignment
There are many files on the server that require permission settings about whether they can be read or modified, and who it is that is allowed to read or modify them. Failure to have the right permissions assigned to these files makes it easy for attackers to track them down. Attackers are always looking to see how far they can go without raising an alarm. Not having the right permission settings let attackers go all the way and locate unprotected files.
Bad Encryption Algorithm
Of all the items on the SANS 25 list, bad encryption algorithms is perhaps the most underrated. This error stems from the sheer stupidity of over confidence. The best thing to do is to always opt for tried-and-test industry security standards, instead of trying to come up with your own encryption algorithm.
Failure to Restrict Excessive Authorization Attempts
Programmers need to know where to draw the line. Surely after 7 or 10 attempts, it is safe to assume that it is not a case of forgotten password anymore, but rather a case of repeated attacks. Protect your software from such brute force attacks by enabling a restriction on the number of authorization attempts allowed.
Programmers should always look out for these 10 common mistakes when developing any kind of software, program or web application.