Building Dependable Enterprise Applications

Howdy all, I know I did not keep my promise to regularly update this blog. But, before you start firing at me let me tell you the reason for it.. No, its not an excuse – I have a valid reason for it. In fact a good reason for not blogging regularly.

8511595415_4901b9e1cd_k

My life has changed since my last post. My dear wife gave birth to our first child 10 weeks ago. A beautiful angel daughter.. So, life is a little busy.

However, last night i got a chance to write about application security which ended up as a blog post on my company’s tech blog under the title Building dependable enterprise applications. You can access it at

http://www.purehacking.com/blogs/sandeep-nain/building-dependable-enterprise-applications.

Have a read and feel free to let me know what you think of it. It’s the time to sing lullaby for the little baby. So, I’ll say bye for now and hope that I will return very soon to write something new.

Secure Thy Databases…

We have come a long way since a bunch of non-interactive pages written in plain HTML were considered to be a cool website. Today’s web sites more often than not are highly interactive, developed using sophisticated client and server side scripting code and with a relational database at the back storing and serving the data needed for website to work… blah blah blah… Well if you are reading this blog, I am sure you know all this theory. So, why I am writing this blog post? Two reasons:

4140461901_56d33e3737_b
  1. It’s been a long while since I posted last
  2. I found something which I wrote 4 years ago and I believe it’s worth sharing

Today, while going through my documents I came across a whitepaper which I wrote in Nov. 2007 titled “Dealing with Threats to Databases”. Yes, the title is same as that of my presentation at OWASP Australia in 2008. The slides for that talk can be found here.

So, If the paper was written in 2007 and presented in 2008, why am I am posting about it today i.e. in 2011.

Answer: The content of the paper is still valid and points raised are still applicable. If you don’t believe me, the proof can be found in the following links:

If you happen to check out these links, you will know that the vulnerability exploited in both the attacks is SQL injection. SQL Injection is not a new issue and has been around since last 8 to 10 years if not more. The application security evangelists have been preaching the countermeasures for the same since a long time as well. So why is the issue still there? I really don’t know the answer to this. May be the language used by the evangelists wasn’t clear enough or way of preaching/teaching/training wasn’t good enough.

So, here I am to explain the countermeasures to protect the databases once and for all. The next few posts (I promise to post the whole section within a week) will be focused on “Securing the databases”.

Just before ending this post I would like to give a “Mantra” to all the developers to avoid SQL injection. Repeat after me:

Writing dynamic queries is a sin. Parameterized queries will protect us from the wrath of SQLi.”

Writing dynamic queries is a sin. Parameterized queries will protect us from the wrath of SQLi.”

Writing dynamic queries is a sin. Parameterised queries will protect us from the wrath of SQLi.”

“Writing dynamic queries is a sin. Parameterised queries will protect us from the wrath of SQLi.

Make sure you remember this Mantra before coming to read the next post. See you all real soon and till then “ parameterized queries will protect us……

Story behind this blog!

Someone once said to me “If you can walk with the crowd, still hold your head high and stand out, then you would have arrived“.

6099561804_5207dc5fe3_o

Since that day “to arrive” has been my aim and while walking on the path to achieve this, I found many, left many and then there were few which I kept close to my heart. Not talking about people here (ofcourse it applies to people too) but the software development lessons which I learnt from my peers, teachers and many considerate programmers who share their code with the needy ones through internet. So, here I am to share the good software security practices through this blog with a belief that one day this endeavor of mine will contribute to the secure software development in various organizations around the world hence building the foundation of a vulnerability free cyber world.

In this blog, you will find what programmers should and shouldn’t do to ensure their applications are resilient to attacks in addition to some good practices being followed in various organizations around the world to produce secure software.