Development is a security risk?

What intruders do your applications let in?

 

thCADMNXPS.jpgHave you ever heard the idiom "Can't see the forest through the trees?". Well friends, get your chain saws out because we need to start clearing the brush at the I.T. front door before we can look anywhere else.  For the next few blog postings we are going to discuss the security risk of internal applications.

 

Most businesses have a blind faith that their internal applications have the proper security. They then spend billions keeping the network secure. Keep in mind the most common tree1.jpgcrime is when a paid hacker finds a loophole in application software—not your network.

 

I'm not saying developers are building back door trojans like in the ‘70s. I'm talking about hackers that look at the data stream to see if their unencrypted characteristics or patterns are now showing up over wireless networks. One way these hackers gain access to your system is through applications.  

 

Let’s say you found this application that looks interesting (let’s call it angry, ninja, jetpack with friends) and you install on your phone and then hook it up to your computer to recharge. Most companies allow employees to use their cell phones at work, but in reality, by allowing this they just tethered their secure computer to an open and unsafe network.   

 

What are you letting in through the BYOD door?

 

thCAN0POT2.jpgThe reality is that development tools, and third-party software and applets can pose a bigger risk to companies' security than the application which they created. In addition, I’ve always heard that data or information is the most important asset a company owns. I would say that if a hacker gets a hold of the code, he or she can get access to the data and much more.

 

I know that I'm only restating the obvious "Chicken or the Egg" scenario. I need to make a point of the use of code to manipulate data. Case in point, how many applications in your shop use freeware or shareware either as a tool or as an applet embedded into the application? The truth is that most companies don't recognize how exposed their code is. The companies that do test only test the application when it is going into production. I would guess that most developments implementations are not tested because they are considered tier two applications—leaving you open to attack.

 

In both the Drop Box and Yahoo cases of hacking, it wasn’t the front end of the database using SQL code that was hacked. Hackers found the code and got the data. Please secure and encrypt code when transporting your code. If your current code repository isn’t encrypted, find one that is.b1.jpg

 

At this time, it's hard to compete with freeware or even shareware when you need a tool or applet fast to complete development of an application. If you download them do you take security steps to ensure security or do you just install it on your local computer and then forget about it. When you compile applications do you know what everyone of the "OCXs" and "DLLs" does in the application? In agile IT environments, we are required to develop applications faster. This requires developers to reach outside the peer network, which is ok but could be a security risk. We all heard the story that nothing is free; but please, don't be the one that has to pay.

 

 

 

new logo.jpg

 

Other Blogs you may like:

Labels: IT| security
Comments
Nadhan | ‎10-02-2012 01:17 PM

Great post, Michael.  Two different thoughts come to mind:

 

 

 

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

 

anshulkatta | ‎03-11-2013 02:00 AM

It is important to have bug bounty as Hackers who are searching for vulnerabilities report to the development team  , ebay , paypal , facebook , all are doing that and that is making them more stronger and safer , 

 

there can be chances where Testing is not enough to get all the vulnerabilities and holes in web apps.

 

The best hackers are in the public , and we should listen to them.

 

 

NoelW | ‎04-19-2013 05:52 AM

Great article Michael! I wanted to see if you would be interested in writing for our Techwell website? Please feel free to contact me directly if so - I really think your writing style and "current issue content" would make a great contribution to our site.

 

Thank you, and keep up the good work!

 

-Noel W.

Michael-Deady | ‎04-19-2013 07:09 AM

Noel,

 

Thanks, I'm alway intrested in writing for any group that would like to hear my rant please contact me at michael.deady@hp.com

 

Thanks

@wh4tsup_doc 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Michael Deady is a Pr. Consultant & Solution Architect for HP Professional Service and HP's ALM Evangelist for IT Experts Community. He spec...
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.