Healthy Apps, Unhealthy Outcomes


By Ericka Chickowski

Some of the better track sessions at this year's RSA dealt with the tricky topic of secure application development. Quite simply, crummy code is the root of many security evils, and to root out bad coding practices is to get to the heart of many problems in information security.

However, it isn't just the make-up of the code that can make an application insecure. Many times the innate functionality of the software itself is the vulnerability. In a session last week about seven deadly business-logic flaws, researcher Trey Ford with White Hat Security explained that there are many programs out there, particularly Web 2.0 applications. that are designed without thinking about how users may misuse the functions to disastrous ends, whether maliciously or not.

These logic flaws within applications are not like bugs or quality errors in code, for which organizations can scan and review to find. No, these are inherent design problems. For example, online polling functions that can be overly influenced by an online movement, as happened with Stephen Colbert's Twitter followers and the space station naming contest.

There are no quick fixes for these logical errors, no technology that can patch them. They're only solved by a sound awareness of security throughout the development process and an ability to think about how an application can be potentially misused.