CodeMash 2014 Session Recap: Applicaiton Security

Duane OdumAfter letting it “sink in” for a week I realized that we all need to be a little more aware of the importance of security when we are developing applications.  It amazes me that someone would post data source and connection information in StackOverflow but I was able to find 15 articles with that information readily available.  Granted some of those are probably connections to a personal development environment but I literally spent less than 30 minutes looking and ultimately it made me more curious about what I could find if I actually spent some actual time digging.

Let me be clear, I am in no way, shape or form going to start targeting folks or organizations that post that information.  What that really did for me was make me take a step back when posting questions, using comments in my code that directly reference a particular person’s work and catching errors appropriately.  I would like to think that I would never make a mistake like this but I am still a human and most of us are imperfect on our best days.  I myself was really taken aback by the aspect of commenting your source when using someone else’s code.

I am not above using someone else’s solution when it is better than my own and I always reference the code in the comments.  One of the revelations that I had in this session was that I never really look past the piece of the code that I use to improve my solution.  In many cases I am simply taking a method that refactors something I created and I almost never look at the entirety of the solution.  That can be a huge mistake, I really should be taking the time to ensure that if I do comment the resource that it will not expose any vulnerabilities in my code as well.

The other big piece of this that I never really put much thought into is the error catching aspect of code. Creating a generic error catching block is something that I have been in the habit of for quite some time but I never thought about the effect of not doing writing a generic error catcher.  When an end users sees the dreaded “Server error in ‘/’ Application” error it means absolutely nothing to them but for a developer with nasty intentions it can provide a plethora of details that your application doesn’t really need to be displaying to anyone.  I work with SharePoint a majority of the time and when developing applications for SharePoint I generally turn off the custom debugging so I can get a relevant error message without using ULS Viewer or digging through the logs (nothing against correlation ID’s but I don’t want to spend the time looking around).  I never do this in a production environment and after this session I never will.

Most “hacking” is done over a period of time and involves many different aspects of penetration but one thing remains the same as it was before the internet was even a thought…people make mistakes.  It may just be that the developer had to rush to beat a deadline and posted something on StackOverflow that exposed too much information or just the fact that they did not think there was a need to catch all errors.  Ultimately the biggest source of knowledge gathering for a potential threat is still the human element.  Much like a 12 step program the only way that you can start to correct the problem is to admit it is a problem.  One of the great things about being a developer is that we really do have a community and there are many sources of support out there but we first have to realize that we need that support.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s