12 programming mistakes to avoid

1 2 3 4 5 Page 3
Page 3 of 5

One of the simplest attacks relies on the fact that some programmers just pass along the client's data to the database, a process that works well until the client decides to send along SQL instead of a valid answer. If a website asks for a user's name and adds the name to a query, the attacker might type in the name x; DROP TABLE users;. The database dutifully assumes the name is x and then moves on to the next command, deleting the table filled with all of the users.

There are many other ways that clever people can abuse the trust of the server. Web polls are invitations to inject bias. Buffer overruns continue to be one of the simplest ways to corrupt software.

To make matters worse, severe security holes can arise when three or four seemingly benign holes are chained together. One programmer may let the client write a file assuming that the directory permissions will be sufficient to stop any wayward writing. Another may open up the permissions just to fix some random bug. Alone there's no trouble, but together, these coding decisions can hand over arbitrary access to the client.

Mistake No. 6: Not trusting the client enough

Sometimes too much security can lead paradoxically to gaping holes. Just a few days ago, I was told that the way to solve a problem with a particular piece of software was just to "chmod 777" the directory and everything inside it. Too much security ended up gumming up the works, leaving developers to loosen strictures just to keep processes running.

Web forms are another battleground where trust can save you in the long run. Not only do bank-level security, long personal data questionaires, and confirming email addresses discourage people from participating even on gossip-related sites, but having to protect that data once it is culled and stored can be far more trouble than it's worth.

Because of this, many Web developers are looking to reduce security as much as possible, not only to make it easy for people to engage with their products but also to save them the trouble of defending more than the minimum amount of data necessary to set up an account.

My book, "Translucent Databases," describes a number of ways that databases can store less information while providing the same services. In some cases, the solutions will work while storing nothing readable.

Mistake No. 7: Relying too heavily on magic boxes

Worried about security? Just add some cryptography. Want your databases to be backed up? Just push the automated replication button. Don't worry. The salesman said, "It just works."

1 2 3 4 5 Page 3
Page 3 of 5
7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon