[Article] Security Basics (Web & Mobile)
LizetErnand 060001J3SF Visits (2496)
Veryearly on while developing one of the Web 2.0 & Mobile servicessamples, I got a quick lesson on web security. Cesar, a colleague ofmine at the time, decided to run the IBM Rational AppScan toolagainst my service & sample. He very quickly found severalcross-site scripting vulnerabilities built into the service itself. Who was to know that echo'ing values back to the user (somethingusually considered helpful in app dev), would prove to be sodangerous when dealing with a web application? Apparently, everyoneelse who was not a newbie like me ;-). Just by scanning the sampleapp, AppScan was not only able to show (very quickly) exactly werethose vulnerabilities resided, but the tool also created examples toshow how those vulnerabilities could be exploited.
CesarE. Santiago and Maryann Hondo, discuss some of the most commonattacks directed at web applications today in this newdeveloperWorks article. They cover things like cross-site scripting, SQL injection,parameter tampering, cookie poisoning, and information leakage. They give examples of each and also provide steps on how to bestprevent them.
Thearticle also covers what considerations need to be made in thedevelopment cycle of mobile solutions and unique challenges that we,the web & mobile community faces. There is also mention, on howthe IBM Rational AppScan tools can help automate security into ourdevelopment processes. (Something we found to be very useful.)