Application Security Is Critical To Development Process

By Catherine De Klerk, Technical Consultant at Compuware

The recent spate of SQL injection attacks on corporate databases internationally should ring a warning bell to South African companies who leave security as an afterthought in their application development processes. In fact, it could only be a matter of time before hackers start turning their attention to local systems if large local companies are not adequately prepared.

Historically, the IT skills shortage in the local market has forced many developers to concentrate less on building security into their applications and systems right from the start. In addition, development and testing is still performed on production data, despite Basel II's recommendations forbidding it.

As a result security weaknesses can expose a company's critical data to attack or theft. Simple problems such as insufficient error handling consistently reveal the weaknesses that are apparent in many systems in the local market. Without the implementation of meaningful error messages in a Web application, corporate code can end up being revealed.

These problems are aggravated by the availability of hacking tools which aid hackers in producing SQL scripts to steal or delete data. It takes far less skill to attack a database today than it did five years ago and the problem is only going to get worse.

Security needs to be enforced at the application layer using specialised tools designed to analyse vulnerabilities and the error handling capabilities of the application as well as tools to generate test data instead of using actual production data.

By automating many of these steps, developers can concentrate on building better applications while ensuring that security remains a fundamental part of the development cycle. Products such as Compuware's DevPartner Fault Simulator, SecurityChecker and File-AID/CS provide repeatability to allow for use across code at any time and, with the ready availability of updates, ensure that current threats can be countered.

There are currently around 8000 SQL injection attacks occurring worldwide every day and with losses running into the hundreds of millions of dollars it is apparent that hacking is here to stay.

We have already seen the early signs of security threats locally with major banks reporting breaches. It is not enough simply to tell clients to update their anti-virus programs while unsecured applications continue to exist on the sites of major banks, financial companies and other large corporations. We need to stop paying lip service to security and start making it a critical part of the development process