In these days of anonymous attacks and data security breaches, application security testing is one of the most important places where developer resources can be spent. A few hours of testing could save your company millions of dollars in downtime, lost business, legal penalties, and customer confidence. Below are a few ways to avoid such costly mistakes.
1: Keep Objects Simple.
One of the biggest mistakes programmers make with object oriented programming is trying to put too much functionality into a single object. Complex objects require complex inputs and outputs and over time they may develop problems like stack overflows, memory leaks, and other problems that make it easy for an attacker to find holes in your security. Because of this, it is important to make sure that an object is responsible one or two, and certainly no more than five processes. If you find objects that are mega-objects handling 30% or more of the processes in your application, look for places where they can be broken down into simpler objects. Smaller objects are easier to debug and keep your code more organized, and I cannot stress enough how many tiny bugs you will eliminate this way.
2: Use Encryption
This one may seem like a no-brainer, but sometimes encryption is overlooked. I had a friend who was working on a multinational project for a collection of universities. The system he was working on would have contained the personal and professional data for several hundred thousand faculty, staff, students, and researchers. About halfway through the project, he realized that the server that was hosting the site did not have SSH installed, and everyone had been connecting to it plaintext. Simple things like this can be easily overlooked and are the number one cause of security breaches in corporate environments.
Another good example is password storage in PHP sites. An unfortunately large number of sites do not bother encrypting the passwords at the database level, though they may encrypt the passwords during transmission from the web server to the SQL server. This means that while your front-end security may be air tight, an attacker could get through the defenses surrounding your database server and get the customer log in and password information that way.
3: Plan To Test
Far too often companies who are developing software assign no time to testing at all. Apparently it is assumed that programmers test their code while they work and actual dedicated testing time is unnecessary. This is a mistake that can and has cost companies millions. As a rule, companies should spend at least half of the time allotted for programming on testing. That means if you spend 100 hours programming a product, at the bare minimum you should allot 50 hours for testing. It’s even better if half of your time is spent programming, and the other half testing. While you may spend more time and money developing a product, you will spend less time and money after the fact fixing problems that would have been detected during testing. As many of you know, once a product is released, the resources dedicated to supporting it are drastically reduced compared to during primary development. Because of this, it is important to get the vast majority of your testing done before the project is released, and you have the resources to test it properly.
This post was contributed by NetQin Mobile. To learn more you can check out any of these sites: