Building secure software requires vigilance at all stages of development. Engineers can not always stay up to date on security issues. It is often an overwhelming task to attempt to deal with security issues all at once. Our software quality assurance (SQA) engineers are seasoned and have a strong understanding of security issues and can dig up and address issues in order to increase application security. Together we can take on any project, big or small. Below are some of the most common vulnerabilities:
One of the most commonly exploited vulnerabilities used by hackers is buffer overflow. In a nutshell this is a vulnerability that can be exploited causing a program to execute unwanted code giving hackers complete control of the target system.
Many incorrectly assume that this type of attack is unlikely due to its complex nature. In order to successfully exploit a hacker must have a lot of skill and knowledge of operating systems, code and compilers. However his assumption is incorrect, as there are numerous ready-to-go exploits for commercial software that can be downloaded and used by hackers with very little knowledge of the target system.
There are several hacker groups who purchase software for the sole purpose of identifying security vulnerabilities. They methodically go through each part of a program, disassembling the code while searching for a way to exploit it. No development company can safely say that they are not a target.
A secure code review can mitigate many of these risks, contact us today to learn more.
Needless to day this is the most critical component of a security system. The most common mistake with authentication is weak credentials. This can leave a system vulnerable to brute force attacks by allowing the attacker to easily guess the password. In order to mitigate this type of attack, strict password composition requirements should be implemented. Having a password of at least 8 characters and include complexity will reduce a system’s attack profile by an order of magnitude.
Once a user authenticates into a website or system, it is common for that system to utilize a ticket to maintain authentication. These also must be hardened against brute force attacks and session hijacking.
iPresidium also works with single sign-on providers and can secure and review assertion data. Contact us for more information.
Once a user is authenticated into a system, what permissions do they need/require? Can they elevate their session’s credentials in order to gain further access to a system? From a programming standpoint, never trust the user’s input. For example, a developer may properly create an authentication method but fails to encrypt the authorization portion of a web session cookie. In this scenario, the attacker simply changes the authorization level in the cookie to gain elevated access. These elevation style attacks are common, simply encrypting a session is not enough.
Our SQA engineers and partners also address the following:
- Format String Vulnerabilities
- Input Validation
- Best practices
Learn more by contacting us and speaking with one of our information security specialists.