Expect the unexpected

Security is proactive, not reactive. Developers do not get the opportunity to watch opponent's movements so that they can react to them, like they could in a sword fight or a chess match.

Developers should assume their systems will be attacked and then figure out how it will happen and how to prevent it ahead of time. It is a "mystery in reverse".

A hacker's best attack avenue is the unexpected one--to walk through the door that is not being watched. Often this means probing a system looking for mistakes or poor assumptions made by the developer.

The best way to close these avenues is to do a complete security review and to be constantly mindful of security. It is helpful to think about what assumptions have been made and to challenge those assumptions.

Many times security weaknesses lie in "edge cases". Developers often code for the path through the application that users are expected to take. They must also consider the out-of-the-ordinary possibilities as well. Common examples include unexpected characters, control or escape characters for various programming languages, and race conditions.

For example, imagine a form with a text input field for a city name. The expected path, sometimes called the "happy path", is for the user to enter their city name.

A sample of edge cases to consider might include:

  • The user enters no text.
  • The user enters too much text.
  • The user copies and pastes text from the clipboard.
  • The user enters non-alphanumeric characters (< > . ; ` ' " ? / @ % +).
  • The user enters emojis or other high-ASCII characters.
  • The user enters multi-byte characters from languages like Chinese or Arabic.
  • The user enters a non-existent city name.
  • The user enters a city name which does not match the country provided.
  • The user copies the form to their server and submits it.
  • The user copies the form and omits the city input field.
  • The user copies the form and edits the HTML for the city input field.
  • The user copies the form and changes the POST request to a GET request.

It is important to consider all possible avenues of attack. Writing software tests can provide reassurance that considered vulnerabilities have been adequately addressed.

Staying informed about Common Vulnerabilities and Exposures (CVE) and the attack vectors being recently experienced by others will be helpful in planning defenses.

Fork me on GitHub