Targeted cyberattacks continue to pose a serious threat to organisations, with new groups and ways of attacking websites emerging each year. The increase in cyber-attacks is truly alarming and demonstrates what all organisations are unfortunately aware of – it’s not a question of If your website or systems will be attacked, but a question of when and how bad it will be.
When Symantec, a division of Broadcom that owns Norton Security, released their Internet Security Threat Report for 2019, we were shocked at the results. The report has highlighted the fact that in 2019 the total number of web attacks has reached almost 35 million in a year, showing an increase of 56% from the previous year. Furthermore, the report said that there has been a significant increase in attacks for each day of December 2019, reaching reached approximately 1.3 million web attacks per day.
Thanks to the rapid increase of internet usage across the globe and the unrelenting requirement for digital systems to grow and evolve, there is no doubt that both consumers and organisations are vulnerable to cyber-attack. The Edgescan 2019 Vulnerability Statistic Report discovered that the vulnerability to cyber-attack was directly related to use of and reliance upon web applications (including API’s etc.) as well as network vulnerabilities.
A vulnerability is defined as a weak point that is often used by an attacker to infiltrate your system. The responsibility falls upon those of us, namely software engineers, who are building these systems to ensure that vulnerabilities are limited and managed as part of any software development. These can be avoided by ensuring that security is embedded into various parts of the code.
Here are some common tips to reduce system vulnerabilities, as practiced by our team of software developers here at Mitrais:
1. Avoid SQL concatenation
Your database is an essential part of your system. Often, we are using SQL Queries through the database to retrieve data and bring it into the system – but this is the place where many security vulnerabilities occur. This is especially true when the software engineer builds the query with string concatenation.
String concatenation is another way of saying stringing one query to the end of another, which allows us to pull information from different sources, like column or form values and sub-queries. A well-known hacking technique is SQL Injection, which will take advantage of the string concatenation by adding dangerous script between the strings. For example, when we ask the user to input their name and password, the software engineer might use SQL String concatenation to process the validation.
var @username = UserInput<Username>;
var @password = UserInput<Password>;
‘SELECT * FROM TBL_USER WHERE UserName = ‘ + @username + ‘AND Password = ’ + @password
A hacker may add script into the input where in the next step the information will be passed into the database, allowing anyone to be able to log in without a valid username and password. This opens the gate to an attack on your entire system which can be difficult to manage. The easiest way to avoid this attack is to simply not use SQL Concatenation as a technique at all and instead utilize TextJoin or alternative quotes and templates. Not only are these more secure but they dramatically improve code readability and offer easier revisions into the code down the track.
2. Do not put critical information in the URL
It is important to protect the information within the system; however, the other side of the equation is that it is necessary to pass information through the system for some processes. It’s unavoidable. One of the simplest ways to pass the information within the system is by adding it to the URL.
Technically, it is a legitimate tactic to move the variable through the system by adding the information into the URL. But in the real world, we must be aware of which information should and should not be added to the URL because it can become a gateway for the misuse of data or information. Can you imagine what would happen if we were to include user id or even credit card numbers in the URL? It would be a nightmare and very easy for hackers to steal that information and use it inappropriately.
Example:
http://example.com?userId=765&ccnumber=99828282828171717
Instead, utilize URL variables or query strings to pass data through the system and resolve the security issue. No sensitive information should ever be included in the URL, full stop.
3. Be strict on external input
Software developers should not trust any information that is input from outside the system. This is often the gateway for any attack, and therefore all inputs, like forms or comments or fields, should be validated and sanitized before importing the data into the system. First, we should ensure that the user has input the correct data type into the correct field. For example, when a user is allowed to upload a file, it should be validated for the specific file type. Otherwise, it can be used to upload an executable file that could run a dangerous command which could compromise the system.
Second, the format should be sanitized. This helps to avoid malicious text from being injected unknowingly into the system. For example, a ‘<script>’ tag could be inputted and become a way to do cross-site scripting or client-side injection. Therefore, any inputs should be encoded in some way before they go into the system.
4. Be aware of using third party apps
Nowadays, there are tons of third-party applications or plugins that can be used to make the coding process easier and faster. It is worth being careful of what third-party apps you allow access to your site or software, as these are often the quickest and easiest cause of headaches in security. By gaining complete access to your site, these third-party apps can be maliciously used to compromise your site from the inside out, sometimes creating a backdoor into the system or running a malicious script. All third-party apps installed or used must be validated and checked regularly to ensure that they continue to be beneficial for your site or software and note an easy way to compromise your security.
5. Managing errors as they occur
There is always the possibility of a system error. This could lead to a vulnerability if it openly displayed in any way and the weak point in the system is exposed. For example, a software update could create a software vulnerability like an SQL injection, which may give hackers the opening they are looking for to compromise your site.
With careful consideration of the appropriate methods of development, you can dramatically decrease your risk of a serious software breach. By performing secure coding and having a better knowledge of the ways in which a compromise may happen, you can ensure you mitigate the risk from the beginning. Hacking and cybercrime is not a problem that is going to go away, and so the responsibility falls on software engineers and developers to ensure that the system is secure and that we have done our part in keeping the system, the consumer and their data safe at all times.
If you are concerned about the security of your site or want to ensure that your software is coded with security in mind, speak to the team at Mitrais. We have guaranteed security experts amongst our software engineering team who know the best ways to offer secure coding for your next project. We would love to hear from you.
