Using SDLC Checklists and Reviews to Avert Security Flaws

[attachment=18063]
Do you know?

75% of attacks today happen at the Application (Gartner). Desktop augmented by Network and then Web Application Security.

Many “easy hacking recipes” published on web.

3 out of 4 vendor apps we tested had serious SQL Injection bugs!

“The cost of correcting code in production increases up to 100 times as compared to in development...”
(1) MSDN (November, 2005) “Leveraging the Role of Testing and Quality Across the Lifecycle to Cut Costs and Drive IT/Business Responsiveness “


Web File Query

A hacker tests for HTTP (80) or HTTPS (443)
Does a “View Source” on HTML file to detect directory hierarchy
Checks for directory listings or enumeration
Can view sensitive information inadvertently left by system administrators or programmers
Database passwords in /include files
Data files with SSNs in /data directories


SQL Injection Attacks

SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. “ (Wikipedia)