Headlines, today, are dominated by news of hackers penetrating successfully into private networks and web applications, thus causing loss of dollars, data and its integrity. Probably the best way to ensure security of critical applications is to build security at the very first level – that is, by adopting security centric programming practices taught in various Web Security courses.
SQL injections are generally responsible for stealing passwords of social network sites, businesses and government websites. Many don’t realize that it is a developer programming issue more than it may be a vendor problem. A comment box or data field in a web form which allows free data entry, and that too an open string input, may lead to this exposure. HTTP header values can also cause SQL injections. Such vulnerabilities may lead your database to be completely wiped, stolen or modified.
To check SQL injections from attacking your system, developers must prevent invalid inputs from being interpreted in an SQL command.
Storing Passwords Securely
Using only one technique to store a password is not that safe. Hackers have access to various resources that allow them to conduct highly effective attacks. Therefore, it’s best to combine three different mechanisms – using a one way algorithm, salting and using another algorithm which is purposefully slow. This prevents GPU cracking rigs from easily exposing your passwords.
XSS Defense: Contextual Output Encoding
In order to counter these attacks, you can use a programming technique called contextual output encoding or escaping. This technique is conducted on output, while creating a user interface, just before untrustworthy data is added dynamically to HTML.
A two factor or multi factor authentication mechanism is best since it depends on a second device to verify user identity. Only a single password authentication is susceptible to outside attacks. Nowadays, most sites offer multi factor authentication, including Facebook, Google, Twitter etc.
Forgotten password security design
If a user forgets password, many sites allow users to request new password by simply sending a mail to registered email address without much verification. A better process will be to follow these steps:
- Ask security questions to validate user identity
- Send a random code to the user via SMS
- Verify code
- Change password on verification
Although these five steps are not sufficient to fully eliminate the chances of a security breach, they will surely go a long way in building a strong base for your application to be difficult to penetrate into. Koenig offers a multitude of security courses and certifications to make sure that you always stay ahead in defending your enterprise IT from malicious hackers.