Secure Features, Not Just Security Features
Just as the IT professionals we talked about at the beginning of the chapter had some misconceptions about network security defenses versus application security defenses, developers also often have some mistaken beliefs concerning security. Next time you pass a developer in the hallway, stop him and ask him what he knows about security. He’ll probably answer with some information about firewalls, antivirus, or SSL. If he’s a Neal Stephenson fan, maybe he’ll corner you and start ranting on the inherent superiority of the Blowfish cryptography algorithm over the Advanced Encryption Standard algorithm. (If this happens to you, we apologize for getting you in this situation.)
And there’s nothing wrong with any of this—firewalls, antivirus, SSL, and cryptography are all important security features. But there’s a lot more to creating secure web applications than just knowing about security features. It’s actually much more important to know how to apply security to the routine development tasks that programmers tackle every day, like parsing strings or querying databases. In short, it’s more important to know how to write secure features than it is to know how to write security features.
Look back at the OWASP Top Ten one more time. It’s telling that for the majority of these vulnerabilities, the way that you solve the problem is usually found in a secure coding technique rather than in the application of a security feature. This is especially true when you look at the earlier, more critical vulnerabilities on the list. Of the top six, only one (#3, Broken Authentication and Session Management) can be attributed to misuse of a security feature. The rest are all caused by improperly coding the “normal,” everyday features that make up the majority of the work that applications perform.
IMHO
It’s disappointing to me that so many people think of security as just being security features. If you go to your local bookstore and randomly pick a book from the computing section, that book will probably have one short chapter on security, and 99 percent of that chapter will cover authentication and authorization methods. I’ve even seen entire books titled something like “Web Security” that only covered authentication and authorization.
We’re certainly showing our bias here regarding the value of secure features versus security features. But don’t take that to mean that security features are unimportant. If you don’t implement appropriate authentication and authorization checks, or if you use easily crackable homegrown cryptography, your users’ data will be stolen and they won’t be happy about it. They won’t care whether it was a cross-site scripting vulnerability or improper use of SSL that led to their credit card being hijacked. They probably won’t even understand the difference. All they’ll know is that they were hacked, and you’re the one responsible. So cover all your bases, both secure features and security features.