Would you say that the above presented building is a safe building? I would probably not. It might even be more unsafe than I originally thought. This issue does not only count for buildings, it also count for something we’re dealing with every single day: software. Nowadays security in software is a significant issue. And rightly so! Have you ever stopped and considered that security risks could also be lurking in the basis of your software – e.g. the source code? We touch on 6 points from our experience, in order to help you get started with eliminating risks. Safely towards the future!
1. Be aware of the changes that are made in the software:
Our experience shows that change introduces risks. We live in a world where change is cemented into the foundation of any business. We all want to innovate, renew and above all, be able to meet the demands of our (potential) customers. In order to ensure this degree of flexibility, it’s a requirement that IT is able to grow in the direction of the business. This means frequent programming in your software, which in many cases is the engine of your business. Are you aware that each of these changes increases the likelihood of a security risk? In itself logical, and fortunately there’s plenty to do in order to ensure that you remain in control.
2. Outdated software:
Did you know that outdated software is not only a business obstacle, but also poses a risk in terms of security? Outdated software is often not developed in the spirit of “security by design” and may cause systems to become less stable and reliable over time. Of course you always want to rely on your software, especially in times when a lot has to be changed in the software.
3. Open source:
The use of open source components is becoming more common. We, (in our eyes) like every IT company, also welcome this. Yet there are still some snags with the use of open source. Do you know if your open source components are all up to date? Maybe security issues were found in previous versions and you’re running a greater risk than you might think. It all starts with the question: what open source components do I use, and what open source components use these components? Do you know?
4. Specific source code security risk: SQL (Structured Query Language) injection:
These are all great points, but what exactly can go wrong in the source code? Well, take a so-called SQL injection: a hacking technique that is often applied to applications and websites. Using such an injection, data may be extracted from a database, changed and in some cases you can actually end up losing control of your server. Thus there are loads of things that can cause headaches. What can you do about it? By protecting your source code in the base, you can make it impossible for outsiders to enter your source code. To do this, you first have to have a full understanding of your source code and source code reviews can give you this.
5. Secure Programming: everything must be consistent
With a transfer of money, the amount deducted must be equal to the amount to be credited. If not, then money has disappeared. This comparison also applies to the data that handle many applications and this applies to each application in its own way. Of course you know this as a developer, but under the overall pressure of time, this happens more often than we would like. Consistency in programming is a factor that contributes to the reliability and security of applications. Are you aware of how consistently your programmers set about things?
6. Control and understanding: you can only eliminate risks with a full scope
A review of source code provides an overview of risks and other imperfections in the source code. Such a review may be carried out manually and automatically. In many cases, carrying out a combination of both is recommended. Why? According to experts, an automated review is indeed fast, but it often produces false-positives, and it won’t recognize any weaknesses. Well, we would like to convince you that in this, Omnext provides a complete service: a rapid, objective and automated review overseen by in-house experts who are able to remove false-positives, can discover patterns and at the same time can focus themselves on your situation and what results are important for your organization. Thus customised advice, based on objective observations of the entire source code. Know where you have to start!
Which of these points would you tackle first?
Anna Willems is brand manager at Omnext, expert in the measurement analysis of the source code of software applications with the aid of Fit Tests and Stay Fit programs. Anna has a clear vision on combining IT and business – from a marketing perspective – and how information from the source code can support business incentives.
Any questions? Ask Anna!