Since the publication of the last Codurance newsletter, the Open Web Application Security Project (OWASP) has released the latest version of the renowned OWASP Top 10.
The OWASP Top 10 is a periodically updated document, designed to promote an awareness of the most common and critical security risks to web applications. The list is compiled by a project team which includes a variety of security experts from around the world.
Although injection flaws (such as SQL, NoSQL, OS, and LDAP injection) remain at the top of the list, since its last revision in 2013, three new risks have been added — XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging and Monitoring. This last item, Insufficient Logging and Monitoring, is particularly interesting.
Unfortunately, I have seen many projects where logging and monitoring tasks have been given a lower priority than the building of features deemed to be delivering direct business value. In reality though, retrofitting a sufficient logging and monitoring solution into a modern complex and distributed system is hugely time-consuming and error-prone. The more complex and distributed that a system becomes, the more critical comprehensive logging and monitoring are for supporting the application in production, further compounding the problem.
In addition to production support requirements, studies have shown that the time to detect a system breach is typically over 200 days and, shockingly, such breaches are more often detected by external parties than by internal processes such as monitoring or automated anomaly detection. This extended time from breach to detection gives attackers freedom to further attack systems, gather or destroy sensitive data and find further exploits.
At Codurance we advocate building a Walking Skeleton as the first phase of any software project. Logging and monitoring should be implemented as part of this phase and in such a way as to make it easy for developers to record activities such as login, access control failures, and server-side input validation failures, with sufficient user context for application support systems to easily detect and investigate important incidents.
Steve is a Principal Craftsman and author with over 18 years professional experience. During his career, Steve has worked on projects in a wide variety of sectors including retail e-commerce, finance, education, media, government and healthcare, developing large-scale, resilient, distributed systems on an assortment of platforms. He currently specialises in solutions built on the Microsoft .Net stack, with a particular interest in cloud computing using the Microsoft Azure platform.
All of the videos from SC London are now published and available to watch here. You can also subscribe for updates (http://sc-london.com/#subscribe) on SC London 2018, to gain updates on super early bird tickets and speaker announcements.
Any of us who has programmed in a language that permits null references will have experienced what happens when you try to dereference one. Whether it results in a segfault or a NullPointerException, it’s always a bug.' By Richard Wild
'This week we had a software design night at Codurance. We spent almost three hours talking about many interesting things but there were a few things that really stuck with me: We all have software design bias.' By Sandro Mancuso
Mashooq Badar explores the notion of Fractured Skill within software development, and why it's critical that all roles within a team have a broad appreciation of skills used, with their own depth of knowledge.
Jorge Gueorguiev Garcia recently posted about functional calisthenics (https://codurance.com/2017/10/12/functional-calisthenics/) . In this post, he provides additional rules/premises/requirements for three katas.
Raquel M Carmena reflects on Lambda World Conference 2017, two intense days of workshops, sessions and open spaces focusing on Functional Programming.
Our Chance to say 'We're Hiring'
We're hiring Software Craftspeople that share the same values of Professionalism, Pragmatism and Pride in Software Development that we do. If you're ready for autonomy, mastery and purpose in your career, then click here