Chapter 16. Evaluating Application Security
So you just forked over half a boatload of your shareholders' hard-earned equity to a small Web shop for a nifty new storefront for your company. The new storefront will go on the company Web server, and you expect that it will generate huge sales. Then this creeping suspicion starts: is this thing really secure? After all, the company was recommended by your son, who is a high school senior, and it consists mostly of his snow-boarding buddies . What do they know about security?
Well, we cannot make an application hacker out of you in the span of 22 pages. However, we can give you some tips for what to look for in new applications to determine whether they present any glaring vulnerabilities. We will not limit ourselves only to custom developed Web apps from small Web shops run by high school seniors. We also include some things to look for in server applications, a couple of client application hints, and even some things for general application security. Hopefully, there is something in here for everyone, although the largest piece will be on input validation in applications.
WARNING: Just because an application does not exhibit any of the flaws we discuss in this section does not mean it is safe! Go back to Chapter 1, "Introduction to Network Protection," and review the unicorn example. You can never prove safety. You can only prove lack thereof. Do not take this chapter as final advice as to whether to deploy a mission-critical application. Consider your security policy and get a comprehensive review by experts if the policy warrants it.