Why cutting back on features can improve security

To help avoid common programming errors when building a Web-based app, IT leaders shouldn’t be afraid to scale back on features, according to Info-Tech Research Group Ltd.

“If you have a limited budget, make sure some proportion of it is allocated to considering security, another portion to the usability of the product, and so on,” said Howard Kiewe, a senior research analyst with the London, Ont.-based consultancy. “Don’t allocate all your time and money to the features of the project.”

For Kiewe, cutting back on features leads to a simpler application, which makes it a lot easier to use and secure. A narrow feature list can force you to prioritize and focus on what’s really important and deliver business value in the process, he added

And while avoiding “feature overload” during application development is one of the most important measures to preventing troublesome programming mistakes, another overlooked area is the lack of security planning in the architecture and implementation stage.

“Security needs to be something that you consider when you’re designing the application,” said Kiewe, adding that the development of coding standards and processes in the early stages will give the programmers a good baseline during the rest of the process.

Thinking about security at the beginning of the app lifecycle will also limit the frequency of dangerous programming errors. For example, to avoid incorrect permission assignment during the architecture and design phase, programmers can simply divide an application into different security log-ins, such as anonymous, normal, or privileged.

“That needs to be designed initially because this will determine the nature of your data structure,” Kiewe said. “Let’s say there are functions that can only be accessed by somebody with administrator level privileges, there are functions that are read-only that the whole world can view, and there are another set that return data to internal employees only. “

“This needs to be thought out during the implementation phase, so a programmer can say, ‘This shouldn’t be accessible to anybody except those with administrative privileges’ and so on,” he added.

Kiewe said a common mistake for companies is to overlook security at the design and implementation stages and begin the process after the application is completed and in testing.

“It’s almost as if companies go about it backwards,” he said. “The process is, ‘We need to do security so let’s test the application, find out if there’s any issues, and work backwards to make changes at the code level.’”

Another common, but avoidable, programming error can occur when Web or network-driven software saves critical state data in a vulnerable location, including a stored cookie or database record. In this instance, according to Kiewe, an attacker can gain access to state data related to end-user authentication and access restricted data.

By implementing complementary security checks in client and server environments, he added, even if an attacker gains access to client-side state data, they will be exposed during the subsequent server-side check.

Companies can deal with every entry on the CWE/SANS Top 25 Most Dangerous Programming Errors list, Kiewe said, if IT leaders make it a point to address security at the beginning of any new application development project.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Previous article
Next article

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now