Home page logo

funsec logo funsec mailing list archives

Poor programming, app design bolster data breaches
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 8 Jan 2013 20:23:45 -0500


With data breaches on the rise and the costs stemming from them
escalating exponentially, human error is often the culprit. But
there’s a deeper issue: poor application design and faulty programming
are all too common.

It’s more important than ever to create secure applications during the
development phase, but very few strides have been made along that
path, according to Pieter Danhieux, an instructor at the SANS
Institute and co-founder of the security and hacking conference BRUCON
in Belgium. The teaching of application design and programming needs
to undergo a substantial change because students are not taught and
have not practiced secure design processes at an early enough stage,
he asserted.

“Programming students will typically attend a single module on
security during a course and it often comes in the later part of the
educational cycle,” he explained. “The result is often a class of very
talented developers but they don’t think with security in mind.”

That leads to poor security practices such as building applications
with buffer-overflow and SQL injection vulnerabilities that are widely
exploited by hackers. Danhieux also said that many of the fundamental
mistakes that he was exploiting as a penetration tester 10 years ago
are still the most common issues today.

Approaches for combatting data breaches, from development to client
password policies, need to be supercharged in the face of a growing
threat, he said. “The US is one of the only countries with a
well-developed disclosure culture around security breaches, so the
assumption might be that there are relatively few incidents and that
America is the epicenter,” Danhieux said. “I can tell you for a fact
that the scale of the attacks is at epidemic proportions and it is
organized, well-funded and global.”

Thus, website designers, architects and developers must understand and
learn web app vulnerabilities in-depth with tried-and-true techniques
for finding them using a structured testing regime. “The goal is to
learn the skills of an attacker so that students can become better
defenders,” Danhieux said.

That’s not to say human error isn’t still a big part of the problem.
“You can’t say it’s just down to insecure program design,” he noted.
“The bigger problem is still due to insecure passwords,
over-privileged users and poorly patched systems.”

Danhieux is familiar with the reality on the ground in his work for
BAE Systems Detica, an information intelligence company. “We deal with
incidents and security assessment results every day, and when you look
at the root cause analysis, 80% of the time it was one of these
issues,” he said.
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]