Not just since Snowden did publish information about more than 50.000 NSA-hacked computers and hacking of “internal” data connections between different locations of big internet companies we should be alarmed that “internal” does not mean “free of threats”. Stuxnet told us that even completely disconnected systems might be targets for cyber criminals and the latest hacks of Adobe and some federal US agencies show us that it’s not enough to have some firewalls and some highly trained personnel – defending a network is much more difficult than attacking one.
As an attacker you have to find just one vulnerability you can use to establish a presence inside the network. Inside an application you need just one single injection vulnerability and the attacker might be able to read your complete database (have a look at Havij and see here how easy it is).
As a defender you cannot stop analyzing the systems and the code when you did find one single vulnerability – you always need to analyze all. Not only by using some fancy vulnerability scanners – you need to perform white box testing of all of your applications.
But if you start pen-testing, it’s already too late to build security in a cost efficient way. If you have to change the internals of authorization inside your application or need to rework your data access because of possible injections, you will have to spent a lot of time and money – this needs to be fixed while development, not when the code is already finished.
Disclosure: I work for SDX AG as a Chief eXpert – a software development consultant not only responsible for web application architectures of our customers, but also for the internal SDX IT infrastructure and for all topics related to application security.
At our next “Office Day” (a monthly event where all SDX consultants meet at our “home base” for business updates and a nice chance to have some tech talks with colleagues) I will give a lesson about security related issues and solutions for .Net web development – and so should you. It’s definitely time to start learning and teaching all kind of security related information for developers. It’s important to make all developers understand that using SSL does not protect an application against hacking using injection, xss, csrf or configuration errors.
As a good starting point: have a look at the OWASP Top 10. Hire a consultant to pen test your applications (and find yourself something you expect her/him to find). Have a look at the OWASP Application Security Verification Standard Project. As a .Net developer the blog of Troy Hunt should be on your reading list.
There is so much to learn – every day. Start now or you will be hacked tomorrow.