For those who are newbie to security — and by security i dont mean authentication and authorization alone,this maybe an eye opener.Heard about CRSF and XSS- they are more in case you read on? Read this for an eye opener about some crazy stuff(http://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html).Troy has done some great stuff and sure you can check out his pluralsight video as well.But there is something that we all realise that we hardly give too much importance to security until the shit hits the fan.There have been more and more cases of hackers stealing credit cards from retail merchants and publishing them ,but we should all understand that he was able to do because “Developers were ignorant” .Not that i want to run away- I AM A DEV GUY too! But off late there is this new heat being generated that we are not giving adequate importance to these risks or vulnerabilities which can be exploited and these security threats can soon be a nightmare you dont want to take! Ok enuf said now what ? where do I start?
Simple — heard of OWASP ? You need to make sure that you pass these top 10 security risks. You can also go to owasp.org to learn more about it.Every year they publish the latest threats and for different platforms as well.The top 10 threats of mobility are
https://www.owasp.org/index.php/Mobile_Top_10_2014-M10
Ok now that i know what my vulnerabilities are ,how do i resolve it or how to i include it in SDL(software development lifecycle).First as a part of the process you can use Thread Modeling Tool from Microsoft(its free in case you thought $$$ just now 🙂 ) ,which is basically a modeling tool like visio but where you can see the vulnerable areas in design phase itself so that you are aware of your attack surface area and try eliminating vulnerable ones.You can download it from here .
http://www.microsoft.com/en-us/download/details.aspx?id=42518
Now to fix these issues in code you can either do google which by the way gives you lot more options or you can use a tool called Fortify from HP which plugs into you Visual Studio and gives you recommendations based on OWASP rules and severity and other filters as well.But sadly its paid and so are tools like Checkmarz and Klockwork. Ok so thats bad news, but sure enough i can guarantee you that if you have the patience google has the answers to most of the OWASP risks that your application has. So secure coding then 🙂
Joshy's Blog 