Web developers are a dime a dozen. I don’t just say that because we’re in the business, either. I mean, really, you can get your company’s web site developed by almost anyone with a copy of Dreamweaver and a dream.
It’s hard to remember that web sites are applications, though. The days of web sites just showing information on screen are mostly over—at least if you want to do business on the web.
If you’re getting a web site developed, it would behoove you to come into the process with some security knowledge on your side. Trust me, the look on your developer’s face when you ask if your site is secure from SQL injections will be priceless…
A list of the top 25 most common software security errors was released two days ago by the CWE. The CWE, or “Common Weakness Enumeration”, is a list that is curated annually by leading software and security experts. The goal is to provide a checklist of things for developers to be aware of, and to provide an extra layer of accountability for those who are having applications developed.
This list got passed around our Royal Oak office today, and it’s something that our web developers are keenly aware of. After all, if we build a website for a client and it gets hacked by a 14-year-old, that reflects pretty poorly on our skills. Taking the extra step to be on top of common security vulnerabilities is one of the perks you get when dealing with a professional web design company.
Our lead developer trimmed down the list into the items that are relevant to our clients, and sent it to everyone in the office, even non-developers like me. That just goes to show that every step of the way, from the account managers to the CEO, we’re at least aware that these things are critical parts of the development process. We develop all manner of sites for our Michigan-based clients and beyond; from basic informational web sites all the way up to custom workflow software, web-based applications, and full e-commerce solutions. No matter what we’re building, we take security very seriously.
In case you’re wondering, here are the things we look for in the sites we develop:
- Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Missing Authentication for Critical Function (e.g. ability to call an include directly)
- Missing Authorization (permission check)
- Use of Hard-coded Credentials
- Missing Encryption of Sensitive Data
- Unrestricted Upload of File with Dangerous Type
- Reliance on Untrusted Inputs in a Security Decision
- Cross-Site Request Forgery (CSRF)
- Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- Incorrect Authorization (e.g. storing permission in cookie)
- Use of a Broken or Risky Cryptographic Algorithm
- Improper Restriction of Excessive Authentication Attempts
- URL Redirection to Untrusted Site (‘Open Redirect’)
- Uncontrolled Format String
- Use of a One-Way Hash without a Salt
So with that heavy brainful, have a great holiday weekend!