In a digital world, a website has become essential and easier to obtain than ever. Fighting constantly with internet threats, we know what a wide gate to these threats is an website. So, we have decided to share with you, by a set of five-weeks posts, the main causes of the websites’ vulnerabilities.
Because you cannot stay safe if you do not know where to look 🙂
We start our journey with the cause of 90% of the security incidents: the mistakes made by developers when writing source code.
When we talk about human factor, everyone should understand that perfection may not be acquired. Even with experienced software engineers, you may find between 15 to 50 bugs in 1,0000 lines of code.
However, there are also some other factors that contribute to the security coding flaws:
1. Many businesses decide to allot the development of the website to their internal team or to freelancers. Although these days the basics of coding may be rapidly learned, many of these developers are not prepared to provide secure coding. They are mainly focused to fulfil the functional requirements of their employer as they are more visible than the security aspect.
2. There are not rare the cases when the website is developed by more than one developer. Even if we talk about a project developed by a team or a project started by a developer and taken over and completed by other developer, you should be aware that each of them has different code skills. In an ideal world, the code written by each of these developers would be accompanied by proper documentation providing the future developers with essential information (who wrote the code, when and why was written). But, as we do not live in an ideal world and, in many cases, the developers are constrained by very tight deadlines for completing the project, most of the time the proper documentation is missing. So, one of these developers will not be able to make a function to work because of a broken code for which he does not have the necessary information to find and to assure a proper repair.
3. When it comes to security flaws, many developers do not have the opportunity to improve their code because they are not involved in the detection process. Thus, in these cases, the rule “the more experience you have the better you become” does not apply. Moreover, the organisations often insist on having the security tests performed by the same team that has written the code. Unfortunately, this is an inefficient measure, which does not help the proper asses of the security. In order to successfully identify the mistakes in the code, you should also assure an external vulnerability assessment.
Only a manual security code review may provide you with an assessment of the real level of the risk associated with the insecure code.
Therefore, when you are developing your website, you may want to assure a collaboration between your web developer and the penetration tester. This may save you from a lot of problems in the future.