When bugs do arise, they are expected to release fixes almost immediately. It is truly a double-
edged sword. However, the common practice of ???penetrate and patch??? has drawn criticism
from the security community as vendors simply release multiple temporary fixes to
appease the users and keep their reputation intact. Security experts argue that this ad hoc
methodology does not exhibit solid engineering practices. Most security flaws occur early
in the application design process. Good applications and bad applications are differentiated
by six key factors:
Chapter 3: Proper and Ethical Disclosure
71
PART I
1. Authentication and authorization The best applications ensure that
authentication and authorization steps are complete and cannot be circumvented.
2. Mistrust of user input Users should be treated as ???hostile agents??? as data is
verified on the server side and as strings are stripped of tags to prevent buffer
overflows.
3. End-to-end session encryption Entire sessions should be encrypted, not just
portions of activity that contain sensitive information. In addition, secure
applications should have short timeouts that require users to reauthenticate
after periods of inactivity.
4. Safe data handling Secure applications will also ensure data is safe while the
system is in an inactive state.
Pages:
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203