Banish Security Blunders with an Error-prevention Process

ecurity can be a complex and often overwhelming issue. To ensure application security, not only must you prevent hackers from entering the system, but you need code in place that safeguards security should those preventive measures fail. There is no room for error. You can anticipate and prevent hundreds of security vulnerabilities, but if you overlook just one vulnerability, a hacker can wreak total havoc on your system.

These are the three most commonly exploited internal software weaknesses:

• Dangerously-constructed SQL statements (for programs that interact with a database).
• Buffer overflows (for C and C++).
• Uncaught runtime exceptions (for Java, as well as .NET-based languages such as managed C and C++).

The traditional industry approach to compensate for these weaknesses is to build code, then later perform a sort of "monkey testing" intended to simulate hacker actions. Testers attempt to design and execute a large number and variety of tests which pound on the application in as many different ways as possible—all in hopes that these tests will reveal a security vulnerability, which can then be remedied prior to deployment. If fastidiously applied, this strategy can expose many critical security vulnerabilities. However, such a thorough application of this strategy is difficult and time-consuming. The test cases that must be created to identify these security vulnerabilities are typically complex, and few teams have the time and resources to write the necessary number and range of complex test cases without slipping on their deadlines and budget.