Learn To Think Like A Hacker

At the planning stage of any application development project, start by conducting a risk assessment of the application function, what data it exposes, what information needs protecting and the threats to that data, advises K.K. Mookhey, during a panel on Web application security at the Networld+Interop conference at Las Vegas earlier this year. Mookhey is CTO and founder of Network Intelligence India, an application event management vendor in Westwood, Mass.

Then look at your architecture: Where and how does it integrate with the operating system, database and middleware, explains John Weinschenk, president and CEO of Cenzic, who also spoke on the RSA panel.

Start looking to best practices, which are being developed at the Open Web Application Security Project, which so far includes:

• Authentication: From the login page, the user should be sent to a page for authentication. Once authenticated, the user should be sent to the next page.
• The password should never be sent in clear text (unencrypted) because it can be stolen by sniffing; saving the password in clear text in the database is dangerous too. The best method of encrypting and sending passwords is the Salted MD5 encryption technique.
• The best way to manage sessions would be to use one session token with two values during authentication. One value before authentication and one after.

"Don't do what most developers do and expect the user to never make input mistakes," says Daniel Cuthbert, co-founder of the Open Web Application Security Project. "And they don't assume that authorized users, once logged in, are going to behave nicely."

For example, an authorized user could exploit his insider status to hijack the cookie of a previous user session, grabbing all the information that went with it, says Weinschenk. Or, depending on how your password recovery program works, a fraudster could request the password of another user's account.

Then you test your applications, and test again when an application is upgraded, say experts. Commercial tools can catch most known vulnerabilities (Cenzic, F5 Networks, Netcraft, SPI Dynamics, others). And there are also open source tools such as Nessus/Newt, a good paper on which was published by Tenable Networks (PDF). In mission critical applications, it might also be appropriate to enlist the aid of a continual monitoring service, like what White Hat offers.