Horizontal Security

In a talk tonight at the SACJUG meeting Roman Hustad of Foundstone talked about a number of issues in writing more secure code. Luckily he comes from a coding background so much of the advice was a lot more relevant than the typical network security perspectives.

Foundstone has developed a couple of example applications to illustrate bad coding practices which include Hacme Books. He covered ideas like testing fields with a single quote character to test for SQL injection possibilities and something called a horizontal privilege attack. That’s an attack based upon gaining access to other users accounts with the same permission level so that you can steal there information or use their account. You might do this with a badly coded web application by simply changing the value of a user id URL parameter.

He mentioned two relatively recent texts on how to apply better security practices within a software development lifecycle. And both of the suggested books included ways to deal with it on an Agile project:

Overall a good introductory talk by a practitioner. One of his main points was that security was becoming something that you needed a few developers that specialized in so that you could keep a team up to speed on the newest techniques. Trying to make everyone a security expert just isn’t going to happen. And finally, a last point was that code reviews are a great place to inject secure software practices.