118 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Watch for Common Application Programming Interface Issues—Some issues
are more common in application programming interfaces (APIs) than in other types
of applications or are specic to APIs. Some of these are as follows:
◾ Reliance on the implementation details of a particular programming lan-
guage to act as implicit security.
◾ Reliance on perimeter security in place of defense-in-depth. Once the perim-
eter is breached, everything is wide open.
◾ API abilities open to anyone. is can lead to misuse of API abilities by other
software or attackers.
Choose the Programming Language with Care—Although secure code can
be written in any programming language, some programming languages are more
prone to specic issues than others by virtue of the language and its programming
principles. ere are a number of languages to choose from, and the decision of
language may be a done deal based on the preferences and needs of the enterprise,
but there are some common language issues to be aware of.
Scripting languages, in general, are not designed to be secure. Some scripting
languages, like JavaScript, have security models, but these models are designed
more to protect the clients from malicious Web sites and not to protect the data or
servers. Additionally, scripting languages are known to have a considerable number
of security defects. If you intend to use a scripting language for all or part of your
project, researching aws in that particular language will give you a good idea of
what to look for and what to add to the risk analysis.
Many programming languages like C and C++ give developers a huge amount
of control over things like pointers, memory management, etc. e downside
of this control is the increased risk of security defects in the code caused by
relatively simple errors. If one of these languages is chosen, this risk should be
mitigated by requiring automated or focused security code reviews to ush out
these coding issues.
Some newer programming languages like .NET take that ne control of
memory and pointers away from the developers. Although this gives less ne con-
trol, it helps to mitigate the common security aws in code by taking care of vari-
able, pointer, and memory management as well as buer sizing, etc. If one of these
languages is chosen for the project, there is still a risk of poor security practices in
coding and mitigation that should be called out.
Web 2.0 Considerations—Web 2.0 is the term for the brave new world of Web
design and technology rather than a language or technology in and of itself.
Web 2.0 tends to focus on the movement of Web-delivered content. Lightweight
applications are common and are supported by content syndication so users can
run applications entirely within a Web browser.