| As a developer, the best possible way to focus on security is to begin to think like a hacker. Examine the methods that hackers use to break into and attack Web sites and use that knowledge to prevent attacks. You already test your code for functionality; one step further is to test it for security—attempt to break into it by finding some hole that you may have unintentionally left in.
This book covers in detail the following key points to successfully hack proof your Web applications:
- A security process must researched, planned, designed, and written for your organization.The process should include a network security plan, an application security plan, and a desktop security plan. All developer, administrator, and quality assurance teams should participate in creating the plan and ultimately be aware of their role in the security process.
- Testing is a fundamental component to application security. Security tests should be as true to a real attack as possible to establish the success or failure of the security measures chosen. Your defenses should take so much effort to penetrate that hackers will be discouraged by the time and effort required.
- Developers must keep current on changes and/or enhancements to the toolsets that they are using.This is essential in development because of the fast pace at which technology changes. Oftentimes patches or new releases are available and yet are not used because of a lack of awareness or a time-consuming backlog prevents proper installation.
- Developers,Webmasters, and network administrators must keep current on known security threats; this can be easily accomplished by monitoring such Web sites as www.SecurityFocus.com or www.cert.org.These sites offer not only a listing of current issues, but also a forum for developers to seek advice regarding security as well as solutions to registered issues.
About the Author
Julie Traxler is a Senior Software Tester for an Internet software company. During her career, Julie has worked for such organizations as DecisionOne, EXE Technologies, and TV Guide. She has held several positions including Project Manager, Business Analyst, and Technical Writer and has specialized in software systems analysis and design. During her tenure at several organizations, Julie has worked to provide a starting point for software quality assurance and has helped to build QA teams and implement testing processes and strategies. The testing plans she has developed include testing for functionality, usability, requirements, acceptance, release, regression, security, integrity, and performance.
Jeff Forristal is the Lead Security Developer for Neohapsis, a Chicago-based security solution/consulting firm. Apart from assisting in network security assessments and application security reviews (including source code review), Jeff is the driving force behind Security Alert Consensus, a joint security alert newsletter published on a weekly basis by Neohapsis, Network Computing, and the SANS Institute.
Kevin Ziese is a Computer Scientist at Cisco Systems, Inc. Prior to joining Cisco he was a Senior Scientist and Founder of the Wheelgroup Corporation, which was acquired by Cisco Systems in April of 1998. Prior to starting the Wheelgroup Corporation, he was Chief of the Advanced Countermeasures Cell at the Air Force Information Warfare Center. |
|