Wednesday, June 08, 2011

Can site audit replace need for secure coding practices?

A web application developmental company, rather than employing data validation and sanitization, chooses to audit an eCommerce site for PCI compliance and agrees to remediate vulnerabilities found during the audit. Is this a clever way of doing the bare minimum and at the same time deflecting the liability to the auditing company?

Data validation is like diet and exercise, general and non-targeted whereas an audit is like tests, specific and targeted. The former is preventive whereas latter is diagnostic.

Like everything else in life, you can live with one, both, or none, depending on your risk tolerance. For developmental? organizations, which contract to build web application for their customers, secure coding adds to the cost of the project, in terms of training, hiring developers experienced in secure coding, and added time.

Of course, there is another consideration - standard coding practices - whether written in the contract or not, there is an understanding that a serious organization and matured developers would be expected to follow standard coding practices. But here's the caveat: who defines the standards? The same organization who is trying to duck their responsibilities defines their corporate coding standards by excluding secure coding practices. This is important when writing contracts - web site owners must include standards as an addendum to the contract.

Reliance on web development organization to implement secure coding is a false sense of security. Rather than stating general requirements in the contract to adhere to standards, specifics must be included. For example, value of each variable received from another system or user must first be validated to check for expected length and non-numeric or numeric or alpha-numeric, as the case may be.

Wait a minute, are web site owners expected to know what secure coding is in order to demand secure coding? The answer is yes when dealing with development organizations which have no scruples. Unfortunately not many businesses are security savvy and very rarely would have someone on staff who is technically skilled in web application security. Before hiring a contractor for web site development, a security consultant needs to be hired. It is just like having an architect on-board before hiring a building contractor.