Locking Down Wireless

Securing Holes in Wireless Applications Through Development Practices

prioritize security issues alongside other program defects, so that security issues can be fixed just like any other program flaw. Common methods to test applications include load-testing tools and tools that will generate input data for cross-site scripting, SQL injection, and buffer-overflow testing.

Threat Modeling
Threat modeling and countermeasures are important steps in the secure development lifecycle--ideally done when the wireless application's design is near completion. Threat modeling is an exercise in which developers identify which assets or pieces of sensitive information are housed by the application and which need protecting, in order to identify potential threats to that application. For example, what sort of data are wireless devices communicating back to the application?

Countermeasures can be implemented to test the application to ensure it does not leave private information vulnerable to potential attackers. Input filtering, one example of a countermeasure, is a technique used by programmers to protect an application from attack by limiting the size and format of input to exactly what the application is expecting. For example, if an application is designed to accept a username that is all alphabet characters and a maximum length of eight characters, the application should reject all input that is longer than eight characters. This will help protect the application from performing unintended operations from unexpected input. Developers also should closely examine bandwidth, CPU time, and disk space to mitigate denial of service risks.

Additionally, developers should employ a thought process in which they imagine themselves as an attacker who knows everything about what the application can do. They then should enumerate and categorize those threats to come up with ways to mitigate the risks. If that can't be done, the design needs to be changed and re-implemented. Organizations that need to comply with regulatory requirements, particularly in the financial services industry, should consider enlisting a third party for a penetration test, which will provide validation of the application's security.

Furthermore, all software developers should obtain training on basic application security principles. They also should take a more holistic approach to application development, building countermeasures into the design process and conducting rigorous QA testing.

By focusing on the security risks inherent in the wireless application development process, developers can apply these principles to any programming language or technology. Architects, developers, and project managers can learn how to proactively integrate security principles into software engineering practices to prevent vulnerabilities from entering the code base. While there is not one "silver bullet" for building secure wireless applications, developers can employ multiple processes and tools that examine vulnerabilities in different ways to ensure application security before production.

With these security measures built into the application and potential security risks addressed at each stage of development, businesses can be assured of a lower vulnerability to attacks. Businesses with a more secure stance can confidently enjoy the enhanced productivity achieved through wireless and mobile technology.

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.