software_security
Artemis Financial is a company that is commissioning the development of a new web application. Artemis provides financial and investment services to various clients. As a financial company, Artemis collects and works with sensitive personal data. The new web application Artemis was seeking to create needed to be designed with the latest security practices in mind. Artemis requested that I evaluate their application and perform a code review for me to make recommendations aimed at improving the overall security of the application.
I did not have to spend a lot of time reviewing the code before discovering some code that warranted further review. For example, one of the initial submissions I received from Artemis included code in which the administrative password for the database server was stored in plain text. It is essential to keep security in mind throughout all phases of development because adding security in the initial stages of development is simpler when compared to trying to implement security late in development where it often necessitates the need to rewrite large sections of code that have already been written. Keeping your software secure is a benefit for your customers and your company because a software company is only as good as its reputation. It can be tough to repair your brand’s image after it has been associated with releasing software with major security vulnerabilities.
The toughest part of working through the vulnerability assessment process was identifying false-positive results on the dependency analyzer report. It takes a bit of practice before you can quickly identify false-positive results on the report. Fortunately, once you have identified a false-positive result, it is a straightforward process to exclude the false reading from the report. A lot of dependency vulnerabilities can be resolved by updating the dependencies to their latest version if older versions of the dependency are currently being used.
To increase the layers of security, the overall scope of the application needs to be well thought out and security should be implemented within any layer where sensitive data or input are stored, maintained, or are in transit. Having a model of the different layers of the application is helpful and if I were designing an application, I would use this to determine where to implement various security mechanisms such as authentication, authorization, and input validation. It is also important to assess that data being sent or received is secured by using encryption.
I tested that the code and application were functional and secure by performing frequent tests on my local machine. By reading the debugging output from the application server when it was running for local testing, I was able to ensure that the program was working correctly and that there were not any errors throughout the testing procedure. Prior to making changes to the code, I ran a static report which listed any security vulnerabilities it found when it scanned the code. I ran a second report after completing the necessary changes to the code to ensure that no new vulnerabilities appeared in the report.
One of the main resources that I used was a dependency analyzer that could scan your code and identify any vulnerabilities within the application’s dependencies. I found this to be extremely useful since often writing an application requires extensive use of third-party libraries and frameworks. While third-party libraries are a powerful tool used to rapidly develop software, they can also introduce security vulnerabilities into your application with little warning. After using this tool, I discovered a dependency checking feature like what I used on this project that is built directly into my code editor of choice. Now with one click, I am brought to a report that lists any potential security vulnerabilities found within my application’s dependencies.
I would show a potential employer the final project where I added a mapping to a page that displayed a SHA2-256 hash for an input string. While this does not sound like much on the surface, I also generated a security certificate stored within a keystore and used that keystore within the application to enable secured communication through HTTPS. Though many browsers will still show an error due to the certificate being self-signed, it can be verified through a browser that communications between the browser and the application are encrypted.