Thursday, November 01, 2007

Application Security Special Interest Group

I'm part of an expertise group at the new company where we attempt to resolve security concerns and develop new awareness on security to be integrated in the development process from the beginning of a project. The focus is not on specific things like encrypting passwords, but carries a more global nature and may lead to the development of a new service portfolio.

Tonight we have a meeting. My focus is mostly on application architecture, so very high level.

Examples of AS concerns are:
  • Unwanted and unseen information leakage (see recent web2.0 developments)
  • Cross Site Scripting attacks and other browser vulnerabilities
  • Unwanted access
  • Injection vulnerabilities
  • Lack of input validation
  • Insufficient testing on the security of an application
  • Insufficient preparation and evaluation in the architecture and design
A very basic thing that isn't truly considered in many cases is that requirements are written from the perspective how something should behave. Never how something should definitely not behave. Especially in the field of security, this is where you leave a wide gap that may introduce security problems when the developer/writer/architect is not aware of certain vulnerabilities in that area.

When things develop further, I'll write more on this blog.

No comments: