Is Your Third-Party Integration Secure? – by @Santhoshst
Security Testing Tips: Is Your Third-Party Integration Secure?
Gone are the days where we used to do everything from scratch in terms of developing the software. These days, we have third-party services, plug-ins, frameworks and what not which can be integrated with the software that you are developing. It may be a web application which uses FCK editor or it could be a mobile app which uses some JS framework. Now, all this is good and it helps you to develop the product much quicker when compared to olden days. However, it comes with a free package called “Risks”. That is why it becomes very crucial for you to get it tested for security quality criteria from your in-house security testers or hire white hat hackers from some other vendor or consultant.
Example: You may have sanitized the input to avoid execution of HTML tags or JS tags in order to restrict attack like cross site-scripting (also known as XSS) which is one of the OWASP Top 10 attacks is really lethal, but your third-party component is not sanitizing it and is vulnerable to XSS attack which helps the black-hat hacker to plant XSS and it could lead to XSRF which means nightmare.
Here are some of the practices that you may want to follow if you are using third-party software or component in your web application!
— Search the web if someone is already speaking about the vulnerabilities in the specific third-party component.
— Always go for premium service if the pricing is not that high and you can afford. Instead of nightmare, it is good to invest minimal money on credible services.
— Go with the established brands as they have been tried and used by many people on the web and there is some amount of trust you can put in such widely used brands.
— If you care for the security of your software very much, it is always good to hire a security researcher to perform security tests and approve it for integration.
— Check the Common Vulnerabilities database if third-party component that you want to use is infected.
— Make sure your security framework is designed and developed to not get affected by third party vulnerabilities going through the server. There needs to be some kind of firewall for stopping malicious stuff.
Case Study
Whole web application forms were sanitized for the input where users may not enter < > / and other characters. However, there was third-party text editor used for one of the feature. Now, the developer or testers did not test it before integrating it to the system. Once integrated, the editor had some of the form fields through which HTML or JS code could be entered and client-side validation couldn’t stop it. In that case, server smoothly executed the code. We exploited the XSS vulnerability through XSRF and then we could do lot of attacks like personal data theft, bringing the system down which relates to denial of service and basically doing anything that the system features allow.
Now, you know the importance of testing the third-party software for security in order to avoid nightmare. Just a marketing pitch here, if you want to get your web application tested for security, talk to me. Skype: santhosh.s.tuppad or twitter: @santhoshst
Leave a comment