By Dan Cornell
Does everyone remember Goofus and Gallant? That was the cartoon series in Highlights Magazine that tried to teach kids good manners and social skills by example: “Goofus burns ants with a magnifying glass; Gallant respects all living creatures” And so on.
I think Goofus and Gallant both grew up to be software developers.
Business analysts, architects and software developers all have many opportunitites every day to make decisions that can either help or hurt the security of the systems they are building. Decisions made in Visio, on whiteboards and at the keyboard can either produce applications that are secure and resilient against attack or are brittle and riddled with vulnerabilities. When we work with teams helping them build secure software we see the types of decisions they are faced with and help them make good choices up-front – when they are less expensive.
Here is a scenario we saw recently: Application A needs to update some of its data tables periodically with data provided by Application B developed and hosted by an untrusted 3rd party.
What would Goofus and Gallant do?
· Goofus has Application B send him raw SQL statements because it is really easy to write the code to execute them in his database.
· Gallant has Application B provide him with structured data in a format such as CSV or XML so he be sure the data is not treated as executable code and so he can validate it and put it in the database only if it passes positive checks for data type, length, range and business logic validity.
Goofus might come back and argue that he would set up a separate database user for these queries and make sure that it had limited permissions to access the database to prevent SQL statements that would “DROP TABLE” and so on. Gallant does all that stuff too, but most importantly made the fundamental decision to force communication between the applications to consist of data rather than executable code.
Eventually someone – good guy or bad – is going to figure out they can send Goofus’ application arbitrary SQL statements. Then Goofus not only has to fix the way his application works, but he also has to convince the 3rd party developing and hosting Application B that they need to change the way they are sending him data. This is frustrating, time-consuming and diverts resources away from building cool new features in the application.
Developers – you have control ove the security of the systems you develop. Think through the security implications of your design decisions early-on and please don’t be a Goofus.
Contact us for more information on designing applications that can interact with one another securely.
--Dan
dan _at_ denimgroup.com
Comments