Tip 1 of Protecting Your SQL-based Cloud Environment - Secure Coding Practices

Making predictions about how technology will develop and affect our lives in the future is something that can be fraught with risk. When we see various experts tell us what they think is going to happen in the future, it is awe-inspiring and fascinating when we see their predictions come true. On the flip-side, the incorrect ones are often cringe-inducing (and both are immortalized on the internet for future generations to applaud or jeer at forever). 

One of the most famous (or infamous) of those prognostications comes from a Newsweek article in 1995, where Dr. Clifford Stoll, astronomer and computer expert, attempted to forecast the direction of the internet. The article was essentially a prediction that the internet would never amount to much. And while some of Stoll’s predictions were pretty accurate, he got it wrong on the whole. 

For instance, when Stoll talked about e-commerce (he called it “cyberbusiness”), he asked, “So how come my local mall does more business in an afternoon than the entire internet handles in a month?” Considering the trillions of dollars that are spent on ecommerce today, that comment is pretty cringey.

I think we can all safely assume today that the internet is no fad. Today, thousands of companies use the Internet and web applications as their primary means of conducting “cyberbusiness”. The pervasive use of hybrid and public cloud infrastructure to develop and publish web applications faster and faster means that there is a continuous growth of that business on the web.

That growth also means that the potential for loss, theft or abuse is growing. Large databases are sitting behind those web applications, each containing all manner of sensitive information like credit card numbers, Social Security numbers, health information, product codes, intellectual property, etc. Cyber criminals want that data. 

So how do we go about building protections against the bad people? How do we keep cyber attackers from abusing weaknesses in our web applications and infrastructure? There are 5 tips that can help you start getting ahead of cyber criminals when they come after your SQL-based apps that you have deployed on the cloud: Secure coding practices, vulnerability scanning and penetration testing, layered defense, blocking and tackling, and intelligent log analysis. For the first tip in this 5-part series, let’s start by looking at secure coding practices.

1. Secure coding practices for web applications – don’t trust the input

The first line of defense against web application security flaws like injection and cross-site scripting should always be the creation and deployment of secure code. And the first rule of secure coding is that all input going into a web application should be considered untrusted and potentially malicious. The source of the data does not matter, even if you consider that source trusted (i.e. data coming only from an internal source of some kind and not from the public internet). Secure coding techniques can then be applied to make sure that ALL data that is coming into the web application is cleaned or blocked.

Let’s look quickly at an illustration of why secure coding is so important. A cyber attacker is focusing on a customer relationship management (CRM) application. In this case, the CRM app has a simple web form that a sales person can use to input a 5-digit customer ID to look up their latest purchases. The cyber attacker finds the form and starts inputting various SQL commands to see if the form field is vulnerable to the much-dreaded (and still very common) SQL injection (SQLi) attack. At this point, there are two possibilities: 1) the developer wrote the web application in such a way that data plugged into that form is validated and thus hardened against SQLi; or 2) the form field allows pretty much any input, and the cyber criminal can send SQL commands from the web application directly into the database. 

If the second of these two scenarios is true, the cyber attacker is taking advantage of code that essentially trusts all input and does not attempt to validate that input. Commands sent by the cyber criminal can be interpreted by the database to perform actions like downloading a table from the database, or maybe even the entire database. Or, if the cyber attacker is having a bad day and just feels like wrecking your day, commands can be issued to delete or overwrite the data altogether. Either way, if your business is using a vulnerable form like this, someone will soon be explaining to your customers how their data got leaked or destroyed. That will not be good for business.

The good news is that the first scenario of a hardened and secure web application is very achievable. Web application attacks like SQLi and others are very well documented. Methods of mitigation (i.e. sanitization, parameterization, whitelisting, and others) are easy to learn and can be found all over the web. 

One such source for learning about how to code more securely is the Open Web Application Security Project (OWASP). Their Top 10 list of the most critical web application security risks is the de facto web application security standard for companies and regulating bodies around the world. Each of the Top 10 entries contains various methods for blocking attacks. 

If you want to know more about specifically avoiding SQLi from the example above, you should take a look at the OWASP SQL Injection Prevention Cheat Sheet. Also, if you really want to dig into SQLi, I suggest reading this article. All of these resources will get you started in your research on how to code more securely.

This post was a collaborative effort with Joe Hitchcock.

About the Author

Michael Farnum - Principal, Cloud Security Practice

Michael Farnum

Michael Farnum is a principal in the Alert Logic Cloud Security Practice and has over 23 years of IT & Security experience. Prior to Alert Logic, Michael was a practice principal for the Fortify on Demand application security business unit at Hewlett Packard Enterprise. During his career, he filled roles including independent security consultant, network security engineer, information security manager, pre-sales security engineer, and security solutions manager. Michael is also the founder and organizer of HouSecCon, a non-profit Houston-area security conference which has helped educate Houstonians (and neighbors) since 2010. Prior to his career in IT Security, he was an M1A1 main battle tank crewman in the US Army. He brings a wealth of application security knowledge, direct field work, and industry relationships to the business.

Connect | Email Me | Articles: 9