+32 3 450 88 42

Technical Thursday

Application security and data protection

Posted by: Eva
Category: Performance testing

‘Hackers are having a field day with cheap smart appliances’, ‘Facebook data from 3 million Belgians sloshing about on the internet’, ‘Client data of Dutch and Belgian online shoppers put up for sale on the internet’, ‘Cyberattack on Defence Ministry and PM’s websites’… the list of articles related to application security and data protection is getting longer every day. It is, more than ever, a hot topic for developers and testers to secure applications against malicious practices. To keep up with the latest developments in security risks and solutions, we can highly advise the OWASP standards.

OWASP, whut?

OWASP (Open Web Application Security Project) is an open-source project that provides free information on application security. The OWASP foundation describes themselves as:

“a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web

The source for developers and technologists to secure the web

Every few years they release a top 10 of vulnerabilities, a broad consensus about the most critical security risks to (web) applications. It’s an ‘awareness’ document for companies to include in their processes in order to minimize the risks. To better understand the subject, let’s look at an example.

An example

One of the items in the top 10 is ‘Injection’. Let’s say you are using a website and click on a product. In the background, the application can send an SQL query to the database like this:

SELECT Product_Name, Product_Description
FROM Products
WHERE Product_id = 123

In this case, the user will receive the name and description of the product with id 123. Pretty straightforward. Now, let’s assume that you intercept that query, slightly modify it and send it to the database like this:

SELECT Product_Name, Product_Description
FROM Products
WHERE Product_id = 123 OR 1 = 1

In the above case, we have added the ‘OR 1=1’ statement to the query. One equal to one is always true, so if we send that query to the database, we would get a list of ALL the products, even items that were maybe hidden or not available to our user profile.

And we could even be more creative, let’s say we would again modify the existing query and merge it with another query:

SELECT Product_Name, Product_Description
FROM Products
WHERE Product_id = 123 UNION SELECT Username, Password FROM Users

By adding the additional Union query, we could get a hold of all the usernames and passwords of the application. Or we could just as easily ‘DROP’ a table and by doing so make the application fail.

The essence

Without going into detail on how to protect your application against these different kinds of attacks, it is clear that developers and testers need to be aware of these risks and should know how to secure their applications against them.

At Brightest we are investing a lot in our security solution. We strongly believe we can deliver better quality if the vulnerabilities of the application are also tested and secured. If you want to know more about this topic, please contact us or register for our training on web application security on 29/10.

MUST KNOW: you can now claim an increased support percentage via the KMO-portefeuille

Arrow right

Contact us!

    Written by Stef Geeurickx, Domain lead & Regional Manager.

    Other blogposts